# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Feb 15 2019 13:52:06 # Log Creation Date: 19.02.2019 18:25:50.524 Process: id = "1" image_name = "document3.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\document3.exe" page_root = "0x4f50f000" os_pid = "0x738" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 7 start_va = 0xbe0000 end_va = 0xbf7fff entry_point = 0xbe0000 region_type = mapped_file name = "document3.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\document3.exe") Region: id = 8 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 11 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 12 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 13 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 14 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 15 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 149 start_va = 0x3d0000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 150 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 151 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 152 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 153 start_va = 0x530000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 154 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 155 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 156 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 157 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 158 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 159 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 160 start_va = 0x75470000 end_va = 0x75481fff entry_point = 0x75470000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 161 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 162 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 163 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 164 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 165 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 166 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 167 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 168 start_va = 0x76e30000 end_va = 0x76f8bfff entry_point = 0x76e30000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 169 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 170 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 171 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 172 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 173 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 174 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 175 start_va = 0x630000 end_va = 0x7b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 176 start_va = 0x7e0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 177 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 178 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 179 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 180 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 181 start_va = 0x7f0000 end_va = 0x970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 182 start_va = 0xc00000 end_va = 0x1ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 183 start_va = 0x74ef0000 end_va = 0x74f6ffff entry_point = 0x74ef0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 184 start_va = 0x980000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 185 start_va = 0x2f0000 end_va = 0x3cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 186 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 187 start_va = 0x76c60000 end_va = 0x76ce2fff entry_point = 0x76c60000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 188 start_va = 0x774c0000 end_va = 0x7754efff entry_point = 0x774c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 189 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 190 start_va = 0x75330000 end_va = 0x75465fff entry_point = 0x75330000 region_type = mapped_file name = "comsvcs.dll" filename = "\\Windows\\SysWOW64\\comsvcs.dll" (normalized: "c:\\windows\\syswow64\\comsvcs.dll") Region: id = 191 start_va = 0x75310000 end_va = 0x75323fff entry_point = 0x75310000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 192 start_va = 0x752f0000 end_va = 0x75305fff entry_point = 0x752f0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 193 start_va = 0x140000 end_va = 0x17bfff entry_point = 0x140000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 194 start_va = 0x140000 end_va = 0x17bfff entry_point = 0x140000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 195 start_va = 0x140000 end_va = 0x17bfff entry_point = 0x140000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 196 start_va = 0x140000 end_va = 0x17bfff entry_point = 0x140000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 197 start_va = 0x140000 end_va = 0x17bfff entry_point = 0x140000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 198 start_va = 0x752b0000 end_va = 0x752eafff entry_point = 0x752b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 199 start_va = 0x2000000 end_va = 0x22cefff entry_point = 0x2000000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 200 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 201 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 202 start_va = 0x980000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 203 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 204 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 205 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 206 start_va = 0x2430000 end_va = 0x252ffff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 207 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 208 start_va = 0x752a0000 end_va = 0x752adfff entry_point = 0x752a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 209 start_va = 0x140000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 210 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 211 start_va = 0x22f0000 end_va = 0x23effff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 212 start_va = 0x2640000 end_va = 0x273ffff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 213 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 214 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 215 start_va = 0x75260000 end_va = 0x7526bfff entry_point = 0x75260000 region_type = mapped_file name = "cmlua.dll" filename = "\\Windows\\SysWOW64\\cmlua.dll" (normalized: "c:\\windows\\syswow64\\cmlua.dll") Region: id = 216 start_va = 0x75280000 end_va = 0x7528dfff entry_point = 0x75280000 region_type = mapped_file name = "cmutil.dll" filename = "\\Windows\\SysWOW64\\cmutil.dll" (normalized: "c:\\windows\\syswow64\\cmutil.dll") Region: id = 217 start_va = 0x75270000 end_va = 0x75278fff entry_point = 0x75270000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 218 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 628 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 629 start_va = 0x180000 end_va = 0x186fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 630 start_va = 0x190000 end_va = 0x191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 631 start_va = 0x2740000 end_va = 0x2b32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002740000" filename = "" Region: id = 695 start_va = 0x750c0000 end_va = 0x750c7fff entry_point = 0x750c0000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 696 start_va = 0x75090000 end_va = 0x750b8fff entry_point = 0x75090000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 697 start_va = 0x75070000 end_va = 0x75083fff entry_point = 0x75070000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 698 start_va = 0x75050000 end_va = 0x75066fff entry_point = 0x75050000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 699 start_va = 0x75040000 end_va = 0x75047fff entry_point = 0x75040000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 700 start_va = 0x75030000 end_va = 0x7503efff entry_point = 0x75030000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 701 start_va = 0x74d20000 end_va = 0x74d2afff entry_point = 0x74d20000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 702 start_va = 0x74d10000 end_va = 0x74d18fff entry_point = 0x74d10000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 703 start_va = 0x74d00000 end_va = 0x74d0cfff entry_point = 0x74d00000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 704 start_va = 0xb40000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 705 start_va = 0x2530000 end_va = 0x262ffff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 706 start_va = 0x2b40000 end_va = 0x2bfffff entry_point = 0x2b40000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 707 start_va = 0x2ce0000 end_va = 0x2ddffff entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 708 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 709 start_va = 0x2de0000 end_va = 0x2edffff entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Thread: id = 1 os_tid = 0x75c [0025.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efca4 | out: lpSystemTimeAsFileTime=0x2efca4*(dwLowDateTime=0x98644c10, dwHighDateTime=0x1d4c880)) [0025.950] GetCurrentThreadId () returned 0x75c [0025.950] GetCurrentProcessId () returned 0x738 [0025.950] QueryPerformanceCounter (in: lpPerformanceCount=0x2efc9c | out: lpPerformanceCount=0x2efc9c*=14240869792) returned 1 [0025.950] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0025.950] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.950] GetLastError () returned 0x57 [0025.950] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.951] GetLastError () returned 0x57 [0025.951] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x773b0000 [0025.952] GetProcAddress (hModule=0x773b0000, lpProcName="InitializeCriticalSectionEx") returned 0x773c4d28 [0025.952] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.952] GetLastError () returned 0x57 [0025.952] GetProcAddress (hModule=0x773b0000, lpProcName="FlsAlloc") returned 0x773c4f2b [0025.952] GetProcAddress (hModule=0x773b0000, lpProcName="FlsSetValue") returned 0x773c4208 [0025.953] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.953] GetLastError () returned 0x57 [0025.953] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.953] GetLastError () returned 0x57 [0025.953] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x773b0000 [0025.953] GetProcAddress (hModule=0x773b0000, lpProcName="InitializeCriticalSectionEx") returned 0x773c4d28 [0025.953] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.953] GetLastError () returned 0x57 [0025.953] GetProcAddress (hModule=0x773b0000, lpProcName="FlsAlloc") returned 0x773c4f2b [0025.953] GetLastError () returned 0x57 [0025.953] GetProcAddress (hModule=0x773b0000, lpProcName="FlsGetValue") returned 0x773c1252 [0025.953] GetProcAddress (hModule=0x773b0000, lpProcName="FlsSetValue") returned 0x773c4208 [0025.953] SetLastError (dwErrCode=0x57) [0025.955] GetStartupInfoW (in: lpStartupInfo=0x2efbdc | out: lpStartupInfo=0x2efbdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xbe3160, hStdOutput=0xc9f32fc3, hStdError=0xfffffffe)) [0025.955] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0025.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0025.955] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0025.955] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe\" " [0025.955] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe\" " [0025.955] GetACP () returned 0x4e4 [0025.955] IsValidCodePage (CodePage=0x4e4) returned 1 [0025.955] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2efbfc | out: lpCPInfo=0x2efbfc) returned 1 [0025.955] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef4c4 | out: lpCPInfo=0x2ef4c4) returned 1 [0025.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2efad8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0025.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2efad8, cbMultiByte=256, lpWideCharStr=0x2ef268, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ罂¾Ā") returned 256 [0025.956] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ罂¾Ā", cchSrc=256, lpCharType=0x2ef4d8 | out: lpCharType=0x2ef4d8) returned 1 [0025.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2efad8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0025.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2efad8, cbMultiByte=256, lpWideCharStr=0x2ef218, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0025.956] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0025.956] GetLastError () returned 0x57 [0025.956] GetProcAddress (hModule=0x773b0000, lpProcName="LCMapStringEx") returned 0x774447f1 [0025.956] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0025.956] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x2ef008, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0025.956] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x2ef9d8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x27\xee\x62\xc9\x14\xfc\x2e", lpUsedDefaultChar=0x0) returned 256 [0025.957] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2efad8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0025.957] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2efad8, cbMultiByte=256, lpWideCharStr=0x2ef238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鳿¾Ā") returned 256 [0025.957] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鳿¾Ā", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0025.957] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鳿¾Ā", cchSrc=256, lpDestStr=0x2ef028, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0025.957] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x2ef8d8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x27\xee\x62\xc9\x14\xfc\x2e", lpUsedDefaultChar=0x0) returned 256 [0025.957] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2efa20, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\document3.exe")) returned 0x33 [0025.957] GetProcAddress (hModule=0x773b0000, lpProcName="AreFileApisANSI") returned 0x774440d1 [0025.957] AreFileApisANSI () returned 1 [0025.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0025.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe", cchWideChar=-1, lpMultiByteStr=0xbf5cb8, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe", lpUsedDefaultChar=0x0) returned 52 [0025.957] RtlInitializeSListHead (in: ListHead=0xbf58c0 | out: ListHead=0xbf58c0) [0025.957] GetLastError () returned 0x0 [0025.957] SetLastError (dwErrCode=0x0) [0025.957] GetEnvironmentStringsW () returned 0x546098* [0025.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0025.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x546b70, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0025.958] FreeEnvironmentStringsW (penv=0x546098) returned 1 [0025.958] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0025.958] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbe2d3d) returned 0x0 [0025.959] GetStartupInfoW (in: lpStartupInfo=0x2efc40 | out: lpStartupInfo=0x2efc40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\document3.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0025.959] GetUserDefaultLangID () returned 0x409 [0025.959] GetKeyboardLayoutList (in: nBuff=0, lpList=0x0 | out: lpList=0x0) returned 1 [0025.960] GetKeyboardLayoutList (in: nBuff=1, lpList=0x547390 | out: lpList=0x547390) returned 1 [0025.960] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="666_nop_nop_nop_nop") returned 0x8c [0025.960] GetLastError () returned 0x0 [0025.960] GetWindowsDirectoryW (in: lpBuffer=0x547390, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0025.960] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\explorer.exe" | out: lpString1="C:\\Windows\\explorer.exe") returned="C:\\Windows\\explorer.exe" [0025.960] GetCurrentProcessId () returned 0x738 [0025.960] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77a40000 [0025.960] GetProcAddress (hModule=0x77a40000, lpProcName="NtQueryInformationProcess") returned 0x77a5fac8 [0025.960] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x738) returned 0x90 [0025.960] NtQueryInformationProcess (in: ProcessHandle=0x90, ProcessInformationClass=0x0, ProcessInformation=0x2efa20, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x2efa20, ReturnLength=0x0) returned 0x0 [0025.960] CloseHandle (hObject=0x90) returned 1 [0025.960] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77a40000 [0025.960] GetProcAddress (hModule=0x77a40000, lpProcName="RtlInitUnicodeString") returned 0x77a6e208 [0025.960] RtlInitUnicodeString (in: DestinationString=0x531300, SourceString="C:\\Windows\\explorer.exe" | out: DestinationString="C:\\Windows\\explorer.exe") [0025.960] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77a40000 [0025.961] GetProcAddress (hModule=0x77a40000, lpProcName="RtlInitUnicodeString") returned 0x77a6e208 [0025.961] RtlInitUnicodeString (in: DestinationString=0x531308, SourceString="C:\\Windows\\explorer.exe" | out: DestinationString="C:\\Windows\\explorer.exe") [0025.961] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77a40000 [0025.961] GetProcAddress (hModule=0x77a40000, lpProcName="RtlInitUnicodeString") returned 0x77a6e208 [0025.961] RtlInitUnicodeString (in: DestinationString=0x53256c, SourceString="C:\\Windows\\explorer.exe" | out: DestinationString="C:\\Windows\\explorer.exe") [0025.961] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77a40000 [0025.961] GetProcAddress (hModule=0x77a40000, lpProcName="RtlInitUnicodeString") returned 0x77a6e208 [0025.961] RtlInitUnicodeString (in: DestinationString=0x532574, SourceString="explorer.exe" | out: DestinationString="explorer.exe") [0025.961] CoInitializeEx (pvReserved=0x0, dwCoInit=0x6) returned 0x0 [0026.283] IIDFromString (in: lpsz="{6EDD6D74-C007-4E75-B76A-E5740995E24C}", lpiid=0x2efa24 | out: lpiid=0x2efa24) returned 0x0 [0026.283] CoGetObject (in: pszName="Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", pBindOptions=0x2efa00, riid=0x2efa24*(Data1=0x6edd6d74, Data2=0xc007, Data3=0x4e75, Data4=([0]=0xb7, [1]=0x6a, [2]=0xe5, [3]=0x74, [4]=0x9, [5]=0x95, [6]=0xe2, [7]=0x4c)), ppv=0x2efa34 | out: ppv=0x2efa34*=0x54ca64) returned 0x0 [0030.551] ObjectStublessClient9 () [0031.917] IUnknown:Release (This=0x54ca64) returned 0x0 [0031.938] Sleep (dwMilliseconds=0x3e8) [0034.236] CryptAcquireContextW (in: phProv=0x2efa54, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2efa54*=0x563da0) returned 1 [0034.237] CryptGenKey (in: hProv=0x563da0, Algid=0xa400, dwFlags=0x1800001, phKey=0x2efa50 | out: phKey=0x2efa50*=0x557130) returned 1 [0034.403] CryptExportKey (in: hKey=0x557130, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x568170, pdwDataLen=0x2efa54 | out: pbData=0x568170*, pdwDataLen=0x2efa54*=0x44) returned 1 [0034.403] CryptExportKey (in: hKey=0x557130, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x568170, pdwDataLen=0x2efa54 | out: pbData=0x568170*, pdwDataLen=0x2efa54*=0xec) returned 1 [0034.403] CryptDestroyKey (hKey=0x557130) returned 1 [0034.403] CryptImportKey (in: hProv=0x563da0, pbData=0x568560, dwDataLen=0x44, hPubKey=0x0, dwFlags=0x0, phKey=0xbf62b8 | out: phKey=0xbf62b8*=0x557130) returned 1 [0034.403] lstrlenA (lpString="BgIAAACkAABSU0ExABAAAAEAAQA9OrphE6ToplNNc+Fw5aEsqyJ4XGYVsO1ydR8iZY6RjI3Np2bh/a5O4fo9iubIXgeRKvjHS8D0SnMF1KdFBcgRK2a/kxAGYxdoqb7DrAgTf2GTzQhbgvR5lbL/109akHUR/L3N5+8ZUhhSF6c07pZrY7YL6LmaJzA+9ogcXz51W7LGSCcJVWnHT3HcNmO0/3vhywahWW6oy1T8urrbD69WrBvwDXm9ghgRL4CLacz6hLhbNAMlVEt2SzGblyM1gtJxdU2twrbX1EA4sUw5yBt6+sl113v4A4mOmcPBdEKCnHSC8vRq2rCqZAkh/sKgQOKbkAvCQG9mlYVtnNc1V+CEJrqEghKSP0ibBrl1cUEsQGDdo3cLE22s1gZs5rmODptQKezndPhN/ndFNrPh8X8Suvx9/TbfubKBJloUsD+3w1O6PwXOs/1XUNZlLRWTaLHs52hXB/jLeMd/RdDzk8ASApH1vUzHWCynmGPo5yvA1Xu0/xB4ArJtbY0MGnwUREATMCBoe01mfuOcwOTgBigDhScFQQpbGKy2VzHgInnmAsntjnBhUIC4uxmOWSsxrSOo6Gl8lOmXq4PSDdWhQ4ygpaF+zgR5nkwz1ID/VC8aoWylmK5BVpZZ5KSeWHXN3t8pz81+4EeovyEFFYtokhxaocJYRgibyOs8eaTQMuJltA==") returned 712 [0034.403] CryptImportKey (in: hProv=0x563da0, pbData=0x568728, dwDataLen=0x214, hPubKey=0x0, dwFlags=0x0, phKey=0x2efa54 | out: phKey=0x2efa54*=0x5571b0) returned 1 [0034.403] CryptEncrypt (in: hKey=0x5571b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2efa6c*, pdwDataLen=0x2efc70*=0xec, dwBufLen=0x200 | out: pbData=0x2efa6c*, pdwDataLen=0x2efc70*=0x200) returned 1 [0034.405] CryptDestroyKey (hKey=0x5571b0) returned 1 [0034.405] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x2efa3c | out: lphEnum=0x2efa3c*=0x5571f0) returned 0x0 [0037.157] WNetEnumResourceW (in: hEnum=0x5571f0, lpcCount=0x2efa34, lpBuffer=0x568c30, lpBufferSize=0x2efa38 | out: lpcCount=0x2efa34, lpBuffer=0x568c30, lpBufferSize=0x2efa38) returned 0x0 [0037.157] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x568c30, lphEnum=0x2efa1c | out: lphEnum=0x2efa1c*=0x54dbb0) returned 0x0 [0037.160] WNetEnumResourceW (in: hEnum=0x54dbb0, lpcCount=0x2efa14, lpBuffer=0x56f410, lpBufferSize=0x2efa18 | out: lpcCount=0x2efa14, lpBuffer=0x56f410, lpBufferSize=0x2efa18) returned 0x103 [0037.160] WNetCloseEnum (hEnum=0x54dbb0) returned 0x0 [0037.160] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x568c50, lphEnum=0x2efa1c | out: lphEnum=0x2efa1c*=0x54dbb0) returned 0x4b8 [0050.258] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x568c70, lphEnum=0x2efa1c | out: lphEnum=0x2efa1c*=0x54dbb0) returned 0x4c6 [0050.271] WNetEnumResourceW (in: hEnum=0x5571f0, lpcCount=0x2efa34, lpBuffer=0x568c30, lpBufferSize=0x2efa38 | out: lpcCount=0x2efa34, lpBuffer=0x568c30, lpBufferSize=0x2efa38) returned 0x103 [0050.272] WNetCloseEnum (hEnum=0x5571f0) returned 0x0 [0050.272] GetLogicalDrives () returned 0x4 [0050.298] wnsprintfW (in: pszDest=0x5732d0, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0050.299] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0050.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 0x5571f0 [0050.299] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0050.299] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Program Files") returned -1 [0050.299] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Program Files (x86)") returned -1 [0050.299] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0050.299] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.299] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0050.299] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0050.299] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0050.299] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0050.299] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0050.299] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0050.299] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0050.299] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0050.300] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0050.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0050.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.300] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.300] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.300] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.300] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.300] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0050.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.300] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0050.300] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.300] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.300] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.300] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.300] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.301] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0050.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.301] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0050.301] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.301] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.301] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.301] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.301] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.301] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0050.301] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0050.301] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0050.301] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0050.301] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0050.301] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0050.301] StrStrIW (lpFirst="BCD", lpSrch=".protected") returned 0x0 [0050.301] lstrcmpW (lpString1="BCD", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.301] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.301] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.301] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.301] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.301] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0050.302] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0050.302] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0050.302] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0050.302] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0050.302] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0050.302] StrStrIW (lpFirst="BCD.LOG", lpSrch=".protected") returned 0x0 [0050.302] lstrcmpW (lpString1="BCD.LOG", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.302] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.302] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.302] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.302] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.302] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0050.302] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0050.302] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0050.302] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0050.302] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0050.302] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0050.302] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".protected") returned 0x0 [0050.302] lstrcmpW (lpString1="BCD.LOG1", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.302] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.302] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.302] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.302] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0050.302] StrStrW (lpFirst="BCD.LOG1", lpSrch=".txt") returned 0x0 [0050.302] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0050.302] StrStrW (lpFirst="BCD.LOG1", lpSrch=".rar") returned 0x0 [0050.303] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0050.303] StrStrW (lpFirst="BCD.LOG1", lpSrch=".zip") returned 0x0 [0050.303] ReadFile (in: hFile=0x1d0, lpBuffer=0x5935b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x5935b0*, lpNumberOfBytesRead=0x2ef468*=0x0, lpOverlapped=0x0) returned 1 [0050.303] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.303] WriteFile (in: hFile=0x1d0, lpBuffer=0x5935b0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x5935b0*, lpNumberOfBytesWritten=0x2ef468*=0x0, lpOverlapped=0x0) returned 1 [0050.303] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.303] WriteFile (in: hFile=0x1d0, lpBuffer=0x2ef494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x2ef494*, lpNumberOfBytesWritten=0x2ef468*=0x4, lpOverlapped=0x0) returned 1 [0050.304] WriteFile (in: hFile=0x1d0, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ef468*=0x30, lpOverlapped=0x0) returned 1 [0050.305] CloseHandle (hObject=0x1d0) returned 1 [0050.306] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1.protected") returned 30 [0050.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1.protected" (normalized: "c:\\boot\\bcd.log1.protected")) returned 1 [0050.307] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.307] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0050.307] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0050.307] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0050.307] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0050.307] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0050.307] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0050.307] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".protected") returned 0x0 [0050.307] lstrcmpW (lpString1="BCD.LOG2", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.307] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.307] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.307] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.308] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0050.308] StrStrW (lpFirst="BCD.LOG2", lpSrch=".txt") returned 0x0 [0050.308] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0050.308] StrStrW (lpFirst="BCD.LOG2", lpSrch=".rar") returned 0x0 [0050.308] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0050.308] StrStrW (lpFirst="BCD.LOG2", lpSrch=".zip") returned 0x0 [0050.308] ReadFile (in: hFile=0x1d0, lpBuffer=0x568c30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568c30*, lpNumberOfBytesRead=0x2ef468*=0x0, lpOverlapped=0x0) returned 1 [0050.308] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.308] WriteFile (in: hFile=0x1d0, lpBuffer=0x568c30*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568c30*, lpNumberOfBytesWritten=0x2ef468*=0x0, lpOverlapped=0x0) returned 1 [0050.308] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.309] WriteFile (in: hFile=0x1d0, lpBuffer=0x2ef494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x2ef494*, lpNumberOfBytesWritten=0x2ef468*=0x4, lpOverlapped=0x0) returned 1 [0050.309] WriteFile (in: hFile=0x1d0, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ef468*=0x30, lpOverlapped=0x0) returned 1 [0050.309] CloseHandle (hObject=0x1d0) returned 1 [0050.311] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2.protected") returned 30 [0050.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2.protected" (normalized: "c:\\boot\\bcd.log2.protected")) returned 1 [0050.569] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.569] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0050.569] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0050.569] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0050.569] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0050.569] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0050.570] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0050.570] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".protected") returned 0x0 [0050.570] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.570] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.570] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.570] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.570] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0050.570] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".txt") returned 0x0 [0050.571] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0050.571] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".rar") returned 0x0 [0050.571] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0050.571] StrStrW (lpFirst="BOOTSTAT.DAT", lpSrch=".zip") returned 0x0 [0050.571] ReadFile (in: hFile=0x1d0, lpBuffer=0x568c30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568c30*, lpNumberOfBytesRead=0x2ef468*=0x2800, lpOverlapped=0x0) returned 1 [0050.572] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.572] WriteFile (in: hFile=0x1d0, lpBuffer=0x568c30*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568c30*, lpNumberOfBytesWritten=0x2ef468*=0x2800, lpOverlapped=0x0) returned 1 [0050.573] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.573] WriteFile (in: hFile=0x1d0, lpBuffer=0x2ef494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x2ef494*, lpNumberOfBytesWritten=0x2ef468*=0x4, lpOverlapped=0x0) returned 1 [0050.573] WriteFile (in: hFile=0x1d0, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef468, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ef468*=0x30, lpOverlapped=0x0) returned 1 [0050.573] CloseHandle (hObject=0x1d0) returned 1 [0050.575] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.protected") returned 34 [0050.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.protected" (normalized: "c:\\boot\\bootstat.dat.protected")) returned 1 [0050.575] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.576] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0050.576] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0050.576] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0050.576] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0050.576] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0050.576] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0050.576] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0050.576] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0050.576] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0050.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.576] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0050.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.576] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.576] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0050.576] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.576] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.576] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.577] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.577] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.577] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.577] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.577] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.577] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0050.577] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.577] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.577] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.577] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.577] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.577] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.577] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\cs-cz\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.577] lstrlenA (lpString="EMPTY") returned 5 [0050.577] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.578] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.578] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.578] CloseHandle (hObject=0x1d0) returned 1 [0050.579] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.579] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0050.579] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0050.579] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0050.579] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0050.579] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0050.579] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0050.579] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0050.579] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0050.579] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0050.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.579] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.579] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.579] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.579] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.579] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.579] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0050.579] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.579] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.579] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0050.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.579] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.580] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.580] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0050.580] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.580] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.580] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.580] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.580] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.580] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.580] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.580] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.580] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\da-dk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.581] lstrlenA (lpString="EMPTY") returned 5 [0050.581] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.581] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.581] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.581] CloseHandle (hObject=0x1d0) returned 1 [0050.582] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.582] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0050.582] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0050.582] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0050.582] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0050.582] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0050.582] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0050.582] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0050.582] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0050.582] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0050.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.582] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0050.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.582] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.582] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.582] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.582] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.582] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.582] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.582] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0050.582] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.582] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.582] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.583] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0050.583] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.583] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.583] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.583] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.583] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.583] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.583] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.583] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.583] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\de-de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.583] lstrlenA (lpString="EMPTY") returned 5 [0050.583] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.584] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.584] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.584] CloseHandle (hObject=0x1d0) returned 1 [0050.584] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.584] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0050.584] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0050.584] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0050.584] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0050.584] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0050.584] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0050.584] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0050.585] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0050.585] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0050.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.585] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0050.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.585] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.585] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0050.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.585] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.585] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.585] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.585] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.585] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.585] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.585] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0050.585] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.585] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.586] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.586] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.586] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.586] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.586] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.586] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.586] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\el-gr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.587] lstrlenA (lpString="EMPTY") returned 5 [0050.587] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.587] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.587] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.587] CloseHandle (hObject=0x1d0) returned 1 [0050.588] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.588] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0050.588] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0050.588] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0050.588] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0050.588] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0050.588] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0050.588] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0050.588] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0050.588] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0050.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.588] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.588] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.588] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.588] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.588] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.588] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0050.588] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.588] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.588] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.588] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.588] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.588] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.588] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.588] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0050.588] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.588] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.588] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.588] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.589] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0050.589] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.589] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.589] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.589] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.589] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.589] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.589] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0050.589] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.589] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.589] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0050.589] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0050.589] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".protected") returned 0x0 [0050.589] lstrcmpW (lpString1="memtest.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0050.589] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.589] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.589] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.589] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.589] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.589] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.591] lstrlenA (lpString="EMPTY") returned 5 [0050.591] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.591] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.591] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.592] CloseHandle (hObject=0x1d0) returned 1 [0050.592] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.592] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0050.592] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0050.592] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0050.592] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0050.592] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0050.592] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0050.592] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0050.592] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0050.592] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0050.592] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.595] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.595] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.595] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.595] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.595] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.595] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0050.595] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.595] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.595] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.595] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.595] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.595] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.595] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.595] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0050.595] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.595] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.595] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.595] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.595] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.595] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.595] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.595] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.595] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0050.596] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.596] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.596] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.596] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.596] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.596] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.596] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.596] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.596] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\es-es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.596] lstrlenA (lpString="EMPTY") returned 5 [0050.596] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.597] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.597] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.597] CloseHandle (hObject=0x1d0) returned 1 [0050.597] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.597] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0050.597] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0050.597] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0050.597] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0050.597] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0050.597] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0050.597] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0050.597] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0050.597] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0050.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.598] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.598] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.598] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.598] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.598] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.598] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0050.598] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.598] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.598] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.598] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.598] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.598] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.598] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.598] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0050.598] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.598] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.598] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.598] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.598] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.598] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.598] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.598] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.598] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0050.598] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.598] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.598] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.598] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.598] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.598] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.598] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.599] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.599] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\fi-fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.599] lstrlenA (lpString="EMPTY") returned 5 [0050.599] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.600] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.600] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.600] CloseHandle (hObject=0x1d0) returned 1 [0050.600] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.600] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0050.600] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0050.600] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0050.600] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0050.600] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0050.600] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0050.600] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0050.600] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0050.600] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0050.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.601] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0050.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.601] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.601] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0050.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.601] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.601] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0050.601] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0050.601] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0050.601] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0050.601] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0050.601] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0050.601] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".protected") returned 0x0 [0050.601] lstrcmpW (lpString1="chs_boot.ttf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.601] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.601] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.602] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.602] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.602] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0050.602] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0050.602] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0050.602] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0050.602] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0050.602] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0050.602] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".protected") returned 0x0 [0050.602] lstrcmpW (lpString1="cht_boot.ttf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.602] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.602] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.602] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.602] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.602] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0050.602] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0050.603] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0050.603] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0050.603] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0050.603] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0050.603] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".protected") returned 0x0 [0050.603] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0050.603] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.603] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.603] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.603] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.603] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0050.603] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0050.603] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0050.603] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0050.603] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0050.603] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0050.603] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".protected") returned 0x0 [0050.603] lstrcmpW (lpString1="kor_boot.ttf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0050.603] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.603] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.603] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.603] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.603] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0050.603] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0050.603] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0050.603] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0050.603] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0050.603] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0050.603] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".protected") returned 0x0 [0050.603] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0050.603] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.603] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.604] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.604] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.604] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.604] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.604] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\fonts\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.719] lstrlenA (lpString="EMPTY") returned 5 [0050.719] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.720] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.720] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.720] CloseHandle (hObject=0x1d0) returned 1 [0050.720] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.720] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0050.720] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0050.720] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0050.720] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0050.720] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0050.720] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0050.720] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0050.720] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0050.720] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0050.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.721] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.721] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.721] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.721] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.721] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.721] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0050.721] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.721] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.721] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.721] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.721] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.721] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.721] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.721] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0050.721] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.721] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.721] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.721] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.722] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.722] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.722] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.722] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0050.722] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.722] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.722] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.722] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.722] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.722] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.722] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.722] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.722] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\fr-fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.722] lstrlenA (lpString="EMPTY") returned 5 [0050.722] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.723] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.723] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.723] CloseHandle (hObject=0x1d0) returned 1 [0050.723] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.723] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0050.723] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0050.723] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0050.723] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0050.723] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0050.723] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0050.723] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0050.723] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0050.723] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0050.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.724] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.724] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.724] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.724] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.724] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.724] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0050.724] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.724] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.724] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.724] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.724] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.724] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.724] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.724] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0050.724] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.724] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.724] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.724] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.724] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0050.724] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.724] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.724] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.724] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.724] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.724] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.725] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.725] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.725] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\hu-hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.725] lstrlenA (lpString="EMPTY") returned 5 [0050.725] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.725] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.725] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.726] CloseHandle (hObject=0x1d0) returned 1 [0050.726] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.726] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0050.726] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0050.726] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0050.726] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0050.726] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0050.726] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0050.726] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0050.726] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0050.726] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0050.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.727] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.727] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.727] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.727] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.727] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.727] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0050.727] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.727] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.727] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.727] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.727] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.727] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.727] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.727] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0050.728] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.728] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.728] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.728] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.728] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0050.728] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.728] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.728] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.728] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.728] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.728] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.728] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.728] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.728] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\it-it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.729] lstrlenA (lpString="EMPTY") returned 5 [0050.729] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.729] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.729] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.729] CloseHandle (hObject=0x1d0) returned 1 [0050.730] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.730] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0050.730] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0050.730] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0050.730] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0050.730] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0050.730] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0050.730] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0050.730] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0050.730] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0050.730] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.730] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.730] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.730] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.730] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.730] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.730] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0050.730] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.730] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.730] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.730] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.730] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.730] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.730] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.730] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0050.730] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.730] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.730] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.730] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.731] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.731] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.731] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.731] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.731] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0050.731] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.731] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.731] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.731] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.731] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.731] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.731] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.731] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.731] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\ja-jp\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.731] lstrlenA (lpString="EMPTY") returned 5 [0050.731] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.732] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.732] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.732] CloseHandle (hObject=0x1d0) returned 1 [0050.732] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.732] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0050.732] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0050.732] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0050.732] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0050.732] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0050.732] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0050.732] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0050.732] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0050.732] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0050.733] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.733] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.733] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.733] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.733] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.733] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.733] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0050.733] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.733] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.733] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.733] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.733] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.733] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.733] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.734] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0050.734] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.734] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.734] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.734] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.734] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0050.734] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.734] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.734] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.734] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.734] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.734] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.734] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.734] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.734] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\ko-kr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.734] lstrlenA (lpString="EMPTY") returned 5 [0050.734] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.735] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.735] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.735] CloseHandle (hObject=0x1d0) returned 1 [0050.735] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.735] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0050.736] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files") returned -1 [0050.736] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files (x86)") returned -1 [0050.736] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0050.736] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0050.736] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0050.736] StrStrIW (lpFirst="memtest.exe", lpSrch=".protected") returned 0x0 [0050.736] lstrcmpW (lpString1="memtest.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0050.736] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.736] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.736] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.736] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.736] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0050.736] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files") returned -1 [0050.736] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files (x86)") returned -1 [0050.736] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0050.736] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0050.736] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0050.736] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0050.736] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0050.736] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0050.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.737] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.737] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.737] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.737] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.737] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.737] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0050.737] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.737] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.737] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.737] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.737] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.737] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.737] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.737] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0050.737] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.737] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.737] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.737] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0050.737] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.737] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.737] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.737] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.737] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.738] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.738] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.738] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.738] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\nb-no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.739] lstrlenA (lpString="EMPTY") returned 5 [0050.739] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.740] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.740] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.740] CloseHandle (hObject=0x1d0) returned 1 [0050.740] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.740] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0050.740] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files") returned -1 [0050.740] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files (x86)") returned -1 [0050.740] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0050.740] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0050.741] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0050.741] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0050.741] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0050.741] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0050.741] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.741] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.741] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.741] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.741] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.741] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.741] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0050.741] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.741] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.741] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.741] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.741] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.741] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.741] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.741] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0050.741] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.741] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.741] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.741] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.741] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.742] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.742] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.742] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.742] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0050.742] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.742] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.742] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.742] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.742] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.742] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.742] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.742] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.742] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\nl-nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.743] lstrlenA (lpString="EMPTY") returned 5 [0050.743] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.743] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.743] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.744] CloseHandle (hObject=0x1d0) returned 1 [0050.744] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.744] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0050.744] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files") returned -1 [0050.744] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files (x86)") returned -1 [0050.744] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0050.744] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0050.744] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0050.744] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0050.744] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0050.744] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0050.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.744] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0050.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.744] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.745] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.745] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.745] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.745] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0050.745] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.745] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.745] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0050.745] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.745] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.745] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.745] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.745] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.746] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.746] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.746] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.746] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\pl-pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.746] lstrlenA (lpString="EMPTY") returned 5 [0050.746] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.747] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.747] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.747] CloseHandle (hObject=0x1d0) returned 1 [0050.747] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.747] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0050.747] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files") returned 1 [0050.747] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files (x86)") returned 1 [0050.747] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0050.747] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0050.747] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0050.747] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0050.747] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0050.747] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0050.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.747] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.747] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.747] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.747] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.747] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.747] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0050.747] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.747] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.748] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.748] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.748] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.748] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.748] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.748] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0050.748] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.748] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.748] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.748] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.748] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.748] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.748] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.748] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0050.748] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.748] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.748] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.748] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.748] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.748] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.748] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.748] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.748] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\pt-br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.749] lstrlenA (lpString="EMPTY") returned 5 [0050.749] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.750] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.750] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.750] CloseHandle (hObject=0x1d0) returned 1 [0050.750] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.750] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0050.750] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files") returned 1 [0050.750] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files (x86)") returned 1 [0050.750] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0050.750] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0050.750] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0050.750] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0050.750] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0050.750] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0050.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.751] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.751] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.751] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.751] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.751] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.751] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0050.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.751] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.751] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.751] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.751] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.751] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.751] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.751] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0050.751] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.751] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.751] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.751] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.751] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.751] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.751] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.751] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0050.751] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.751] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.751] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.751] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.752] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.752] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.752] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.752] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.752] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\pt-pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.753] lstrlenA (lpString="EMPTY") returned 5 [0050.753] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.753] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.753] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.753] CloseHandle (hObject=0x1d0) returned 1 [0050.754] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.754] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0050.754] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files") returned 1 [0050.754] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files (x86)") returned 1 [0050.754] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0050.754] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0050.754] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0050.754] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0050.754] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0050.754] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0050.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.754] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.754] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.754] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.754] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.754] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.754] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0050.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.754] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.754] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.754] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.754] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.754] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.754] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.754] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0050.754] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.755] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.755] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.755] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0050.755] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.755] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.755] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.755] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.755] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.755] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.755] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.755] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.755] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\ru-ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.756] lstrlenA (lpString="EMPTY") returned 5 [0050.756] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.756] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.756] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.756] CloseHandle (hObject=0x1d0) returned 1 [0050.757] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.757] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0050.757] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files") returned 1 [0050.757] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files (x86)") returned 1 [0050.757] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0050.757] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0050.757] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0050.757] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0050.757] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0050.757] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0050.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.757] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.757] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.757] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.757] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.757] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0050.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.757] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.757] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.757] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.757] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.757] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.757] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0050.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.758] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.758] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.758] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.758] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.758] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.758] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.758] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.758] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0050.758] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.758] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.758] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.758] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.758] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.759] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.759] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.759] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.759] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\sv-se\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.759] lstrlenA (lpString="EMPTY") returned 5 [0050.759] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.759] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.760] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.760] CloseHandle (hObject=0x1d0) returned 1 [0050.760] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.760] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0050.760] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files") returned 1 [0050.760] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files (x86)") returned 1 [0050.760] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0050.760] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0050.760] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0050.760] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0050.760] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0050.760] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0050.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.760] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.760] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.760] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.760] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.760] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0050.760] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.760] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.761] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.761] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.761] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.761] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.761] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0050.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.761] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.761] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.761] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.761] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.761] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.761] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.761] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0050.761] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.761] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.761] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.761] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.761] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.761] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.761] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.761] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.761] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\tr-tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.761] lstrlenA (lpString="EMPTY") returned 5 [0050.761] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.762] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.762] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.762] CloseHandle (hObject=0x1d0) returned 1 [0050.762] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.762] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0050.762] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files") returned 1 [0050.763] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files (x86)") returned 1 [0050.763] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0050.763] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0050.763] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0050.763] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0050.763] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0050.763] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0050.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.763] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.763] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.763] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.763] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.763] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.763] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0050.763] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.763] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.763] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.763] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.763] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.763] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.763] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.763] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0050.763] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.763] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.763] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.763] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0050.764] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.764] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.764] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.764] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.764] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.764] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.764] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.764] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.764] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\zh-cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.765] lstrlenA (lpString="EMPTY") returned 5 [0050.765] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.765] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.765] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.765] CloseHandle (hObject=0x1d0) returned 1 [0050.766] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.766] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0050.766] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files") returned 1 [0050.766] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files (x86)") returned 1 [0050.766] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0050.766] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0050.766] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0050.766] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0050.766] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0050.766] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0050.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.766] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.766] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.766] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.766] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.766] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.766] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0050.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.766] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.766] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.766] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.766] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.766] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.766] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.766] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0050.766] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.766] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.766] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.766] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.766] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.766] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.766] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.766] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.767] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0050.767] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.767] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.767] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.767] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.767] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.767] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.767] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.767] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.767] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\zh-hk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.767] lstrlenA (lpString="EMPTY") returned 5 [0050.767] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.768] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.768] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.768] CloseHandle (hObject=0x1d0) returned 1 [0050.768] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.768] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0050.768] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files") returned 1 [0050.768] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files (x86)") returned 1 [0050.768] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0050.768] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0050.768] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0050.768] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0050.768] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0050.768] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0050.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.769] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.769] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0050.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.769] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.769] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0050.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.769] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.769] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.769] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0050.769] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0050.769] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0050.769] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0050.769] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0050.769] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".protected") returned 0x0 [0050.769] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.769] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.769] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.769] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.770] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0050.770] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0050.770] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.770] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\zh-tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0050.770] lstrlenA (lpString="EMPTY") returned 5 [0050.770] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0050.771] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.771] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0050.771] CloseHandle (hObject=0x1d0) returned 1 [0050.771] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0 [0050.771] FindClose (in: hFindFile=0x5572f0 | out: hFindFile=0x5572f0) returned 1 [0050.771] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 41 [0050.771] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\boot\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0050.771] lstrlenA (lpString="EMPTY") returned 5 [0050.771] WriteFile (in: hFile=0x1cc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef474*=0x5, lpOverlapped=0x0) returned 1 [0050.772] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.772] WriteFile (in: hFile=0x1cc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef474*=0x2ac, lpOverlapped=0x0) returned 1 [0050.772] CloseHandle (hObject=0x1cc) returned 1 [0050.772] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.772] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0050.772] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files") returned -1 [0050.772] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files (x86)") returned -1 [0050.773] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0050.773] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0050.773] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0050.773] StrStrIW (lpFirst="bootmgr", lpSrch=".protected") returned 0x0 [0050.773] lstrcmpW (lpString1="bootmgr", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.773] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef790 | out: pbBuffer=0x2ef790) returned 1 [0050.773] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef784*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef784*=0x30) returned 1 [0050.773] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.773] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.773] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0050.773] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files") returned -1 [0050.773] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files (x86)") returned -1 [0050.773] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0050.773] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0050.773] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0050.773] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".protected") returned 0x0 [0050.773] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.773] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef790 | out: pbBuffer=0x2ef790) returned 1 [0050.773] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef784*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef784*=0x30) returned 1 [0050.773] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.774] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.774] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows") returned -1 [0050.774] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files") returned -1 [0050.774] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files (x86)") returned -1 [0050.774] lstrcmpiW (lpString1="Config.Msi", lpString2="$Recycle.bin") returned 1 [0050.774] lstrcmpiW (lpString1="Config.Msi", lpString2="System Volume Information") returned -1 [0050.774] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi") returned 17 [0050.774] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0050.774] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0050.774] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Config.Msi\\*") returned 19 [0050.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0050.774] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.774] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.774] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.774] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.774] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.774] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\.") returned 19 [0050.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.774] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0050.774] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.774] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.775] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.775] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\." (normalized: "c:\\config.msi\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.775] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.775] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.775] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.775] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.775] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.775] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.775] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\..") returned 20 [0050.775] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.775] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0050.775] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.775] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.775] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.775] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.775] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0 [0050.775] FindClose (in: hFindFile=0x5572f0 | out: hFindFile=0x5572f0) returned 1 [0050.775] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 47 [0050.775] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\config.msi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0050.776] lstrlenA (lpString="EMPTY") returned 5 [0050.776] WriteFile (in: hFile=0x1cc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef474*=0x5, lpOverlapped=0x0) returned 1 [0050.776] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0050.776] WriteFile (in: hFile=0x1cc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef474*=0x2ac, lpOverlapped=0x0) returned 1 [0050.776] CloseHandle (hObject=0x1cc) returned 1 [0050.777] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.777] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0050.777] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files") returned -1 [0050.777] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files (x86)") returned -1 [0050.777] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0050.777] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0050.777] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0050.777] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0050.777] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0050.777] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0050.777] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0xffffffff [0050.777] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.777] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0050.777] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files") returned -1 [0050.777] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files (x86)") returned -1 [0050.777] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0050.777] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0050.777] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0050.777] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".protected") returned 0x0 [0050.777] lstrcmpW (lpString1="hiberfil.sys", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.777] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef790 | out: pbBuffer=0x2ef790) returned 1 [0050.777] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef784*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef784*=0x30) returned 1 [0050.777] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.778] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0050.778] lstrcmpiW (lpString1="MSOCache", lpString2="Windows") returned -1 [0050.778] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files") returned -1 [0050.778] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files (x86)") returned -1 [0050.778] lstrcmpiW (lpString1="MSOCache", lpString2="$Recycle.bin") returned 1 [0050.778] lstrcmpiW (lpString1="MSOCache", lpString2="System Volume Information") returned -1 [0050.778] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache") returned 15 [0050.778] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0050.778] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0050.778] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\*") returned 17 [0050.778] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0050.778] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.778] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.778] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.778] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.778] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.778] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\.") returned 17 [0050.778] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.778] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0050.778] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.778] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.778] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.778] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\." (normalized: "c:\\msocache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.778] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.778] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.778] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.779] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.779] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.779] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.779] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\..") returned 18 [0050.779] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.779] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.779] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0050.779] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.779] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0050.779] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0050.779] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.779] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0050.779] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0050.779] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0050.779] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0050.779] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0050.779] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0050.779] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users") returned 25 [0050.779] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0050.779] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0050.779] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\*") returned 27 [0050.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0050.823] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.823] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.823] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.823] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.823] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.823] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\.") returned 27 [0050.823] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.823] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0050.824] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.824] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.824] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.824] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\." (normalized: "c:\\msocache\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.824] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.874] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.874] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.874] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.874] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.874] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.874] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\..") returned 28 [0050.874] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.874] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.874] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0050.874] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.874] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0050.875] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0050.875] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\.." (normalized: "c:\\msocache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.875] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0050.875] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0050.875] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0050.875] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0050.875] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0050.875] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0050.875] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned 66 [0050.875] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0050.875] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0050.876] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned 68 [0050.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0050.876] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0050.876] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0050.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0050.876] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0050.876] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0050.876] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.") returned 68 [0050.876] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.876] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0050.876] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.876] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0050.876] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0050.877] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.877] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0050.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0050.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0050.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0050.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0050.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0050.877] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..") returned 69 [0050.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0050.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.877] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0050.877] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.877] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0050.877] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0050.877] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.877] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0050.878] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Windows") returned -1 [0050.878] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files") returned -1 [0050.878] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files (x86)") returned -1 [0050.878] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$Recycle.bin") returned 1 [0050.879] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="System Volume Information") returned -1 [0050.879] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0050.879] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".protected") returned 0x0 [0050.879] lstrcmpW (lpString1="ExcelLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0050.879] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0050.879] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0050.879] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0050.879] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0050.879] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".txt") returned 0x0 [0050.879] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0050.879] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".rar") returned 0x0 [0050.879] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0050.879] StrStrW (lpFirst="ExcelLR.cab", lpSrch=".zip") returned 0x0 [0050.880] ReadFile (in: hFile=0x1d8, lpBuffer=0x569c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0050.881] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.881] WriteFile (in: hFile=0x1d8, lpBuffer=0x569c38*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0050.881] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.881] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0050.882] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0050.882] CloseHandle (hObject=0x1d8) returned 1 [0051.444] wnsprintfW (in: pszDest=0x5b8648, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.protected") returned 88 [0051.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.protected")) returned 1 [0051.448] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0051.448] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Windows") returned -1 [0051.448] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files") returned -1 [0051.448] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files (x86)") returned -1 [0051.448] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$Recycle.bin") returned 1 [0051.448] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="System Volume Information") returned -1 [0051.448] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0051.448] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".protected") returned 0x0 [0051.448] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0051.448] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0051.448] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0051.448] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0051.448] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0051.448] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".txt") returned 0x0 [0051.448] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0051.448] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".rar") returned 0x0 [0051.448] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0051.449] StrStrW (lpFirst="ExcelMUI.msi", lpSrch=".zip") returned 0x0 [0051.449] ReadFile (in: hFile=0x1d8, lpBuffer=0x569c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0051.461] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.461] WriteFile (in: hFile=0x1d8, lpBuffer=0x569c38*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0051.461] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.462] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0051.507] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0051.507] CloseHandle (hObject=0x1d8) returned 1 [0051.737] wnsprintfW (in: pszDest=0x5b8648, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.protected") returned 89 [0051.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.protected")) returned 1 [0051.738] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0051.738] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Windows") returned -1 [0051.738] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files") returned -1 [0051.738] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files (x86)") returned -1 [0051.738] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$Recycle.bin") returned 1 [0051.738] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="System Volume Information") returned -1 [0051.738] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0051.738] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".protected") returned 0x0 [0051.738] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0051.739] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0051.739] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0051.739] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0051.739] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0051.739] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".txt") returned 0x0 [0051.739] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0051.739] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".rar") returned 0x0 [0051.739] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0051.739] StrStrW (lpFirst="ExcelMUI.xml", lpSrch=".zip") returned 0x0 [0051.739] ReadFile (in: hFile=0x1d8, lpBuffer=0x569c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesRead=0x2eee78*=0x61d, lpOverlapped=0x0) returned 1 [0051.789] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.789] WriteFile (in: hFile=0x1d8, lpBuffer=0x569c38*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesWritten=0x2eee78*=0x61d, lpOverlapped=0x0) returned 1 [0051.789] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.789] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0051.789] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0051.789] CloseHandle (hObject=0x1d8) returned 1 [0051.790] wnsprintfW (in: pszDest=0x5b8648, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.protected") returned 89 [0051.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.protected")) returned 1 [0051.791] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0051.791] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0051.791] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0051.791] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0051.791] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0051.791] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0051.791] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0051.791] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0051.791] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0051.791] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0051.796] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0051.799] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0051.823] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0051.823] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0051.823] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0051.823] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0051.823] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0051.823] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0051.823] ReadFile (in: hFile=0x1d8, lpBuffer=0x569c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesRead=0x2eee78*=0x8f8, lpOverlapped=0x0) returned 1 [0051.856] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.883] WriteFile (in: hFile=0x1d8, lpBuffer=0x569c38*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x569c38*, lpNumberOfBytesWritten=0x2eee78*=0x8f8, lpOverlapped=0x0) returned 1 [0051.883] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.883] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0051.884] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0051.884] CloseHandle (hObject=0x1d8) returned 1 [0051.924] wnsprintfW (in: pszDest=0x5b8648, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0051.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0051.924] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0051.924] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0051.924] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0051.924] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0051.925] lstrlenA (lpString="EMPTY") returned 5 [0051.925] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0051.926] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0051.926] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0051.933] CloseHandle (hObject=0x1d4) returned 1 [0051.934] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0051.934] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0051.934] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0051.934] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0051.934] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0051.934] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0051.934] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned 66 [0051.934] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0051.934] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0051.934] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned 68 [0051.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0051.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0051.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0051.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0051.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0051.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0051.961] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.") returned 68 [0051.961] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.962] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0051.962] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0051.962] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0051.962] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0051.962] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0051.962] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0051.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0051.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0051.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0051.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0051.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0051.962] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..") returned 69 [0051.962] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0051.962] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.962] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0051.962] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0051.962] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0051.962] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0051.962] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0051.963] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0051.963] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Windows") returned -1 [0051.963] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files") returned -1 [0051.963] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files (x86)") returned -1 [0051.963] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$Recycle.bin") returned 1 [0051.963] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="System Volume Information") returned -1 [0051.963] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0051.963] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".protected") returned 0x0 [0051.963] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0051.963] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0051.963] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0051.963] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0051.963] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0051.963] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".txt") returned 0x0 [0051.963] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0051.963] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".rar") returned 0x0 [0051.963] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0051.963] StrStrW (lpFirst="PowerPointMUI.msi", lpSrch=".zip") returned 0x0 [0051.963] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0051.997] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.997] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0051.997] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.997] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0052.026] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0052.026] CloseHandle (hObject=0x1d8) returned 1 [0052.216] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.protected") returned 94 [0052.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.protected")) returned 1 [0052.216] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0052.216] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Windows") returned -1 [0052.216] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files") returned -1 [0052.216] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files (x86)") returned -1 [0052.216] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$Recycle.bin") returned 1 [0052.216] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="System Volume Information") returned -1 [0052.216] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0052.216] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".protected") returned 0x0 [0052.217] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0052.217] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0052.217] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0052.217] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0052.217] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0052.217] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".txt") returned 0x0 [0052.217] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0052.217] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".rar") returned 0x0 [0052.217] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0052.217] StrStrW (lpFirst="PowerPointMUI.xml", lpSrch=".zip") returned 0x0 [0052.217] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x5aa, lpOverlapped=0x0) returned 1 [0052.276] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.276] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x5aa, lpOverlapped=0x0) returned 1 [0052.276] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.276] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0052.276] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0052.277] CloseHandle (hObject=0x1d8) returned 1 [0052.278] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.protected") returned 94 [0052.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.protected")) returned 1 [0052.278] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0052.278] lstrcmpiW (lpString1="PptLR.cab", lpString2="Windows") returned -1 [0052.278] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files") returned -1 [0052.278] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files (x86)") returned -1 [0052.278] lstrcmpiW (lpString1="PptLR.cab", lpString2="$Recycle.bin") returned 1 [0052.278] lstrcmpiW (lpString1="PptLR.cab", lpString2="System Volume Information") returned -1 [0052.278] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0052.278] StrStrIW (lpFirst="PptLR.cab", lpSrch=".protected") returned 0x0 [0052.278] lstrcmpW (lpString1="PptLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0052.279] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0052.279] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0052.279] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0052.279] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0052.279] StrStrW (lpFirst="PptLR.cab", lpSrch=".txt") returned 0x0 [0052.280] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0052.280] StrStrW (lpFirst="PptLR.cab", lpSrch=".rar") returned 0x0 [0052.280] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0052.280] StrStrW (lpFirst="PptLR.cab", lpSrch=".zip") returned 0x0 [0052.280] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0052.308] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.308] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0052.309] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.309] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0052.331] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0052.331] CloseHandle (hObject=0x1d8) returned 1 [0052.974] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.protected") returned 86 [0052.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.protected")) returned 1 [0052.975] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0052.975] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0052.975] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0052.975] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0052.975] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0052.975] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0052.975] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.975] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0052.975] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0052.975] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0052.976] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0052.976] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0052.976] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.976] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0052.976] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.976] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0052.976] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0052.976] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0052.976] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x75e, lpOverlapped=0x0) returned 1 [0053.074] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.074] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x75e, lpOverlapped=0x0) returned 1 [0053.074] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.074] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0053.074] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0053.074] CloseHandle (hObject=0x1d8) returned 1 [0053.075] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0053.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0053.076] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0053.076] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0053.076] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0053.076] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0053.076] lstrlenA (lpString="EMPTY") returned 5 [0053.076] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0053.077] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0053.077] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0053.077] CloseHandle (hObject=0x1d4) returned 1 [0053.077] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0053.077] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0053.077] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0053.077] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0053.078] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0053.078] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0053.078] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned 66 [0053.078] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0053.078] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0053.078] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned 68 [0053.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0053.326] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0053.326] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0053.326] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0053.326] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0053.326] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0053.326] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.") returned 68 [0053.389] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.389] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0053.389] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0053.389] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0053.389] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0053.390] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0053.390] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0053.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0053.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0053.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0053.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0053.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0053.390] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..") returned 69 [0053.390] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0053.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.390] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0053.390] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0053.390] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0053.390] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0053.390] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0053.390] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0053.390] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Windows") returned -1 [0053.390] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files") returned 1 [0053.390] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files (x86)") returned 1 [0053.390] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$Recycle.bin") returned 1 [0053.391] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="System Volume Information") returned -1 [0053.391] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0053.391] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".protected") returned 0x0 [0053.391] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0053.391] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0053.391] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0053.391] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0053.442] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0053.442] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".txt") returned 0x0 [0053.442] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0053.442] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".rar") returned 0x0 [0053.442] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0053.442] StrStrW (lpFirst="PublisherMUI.msi", lpSrch=".zip") returned 0x0 [0053.442] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0053.480] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.480] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0053.480] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.480] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0053.548] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0053.548] CloseHandle (hObject=0x1d8) returned 1 [0053.626] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.protected") returned 93 [0053.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.protected")) returned 1 [0053.627] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0053.627] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Windows") returned -1 [0053.627] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files") returned 1 [0053.627] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files (x86)") returned 1 [0053.627] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$Recycle.bin") returned 1 [0053.627] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="System Volume Information") returned -1 [0053.627] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0053.627] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".protected") returned 0x0 [0053.627] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0053.627] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0053.627] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0053.628] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0053.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0053.628] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".txt") returned 0x0 [0053.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0053.628] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".rar") returned 0x0 [0053.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0053.628] StrStrW (lpFirst="PublisherMUI.xml", lpSrch=".zip") returned 0x0 [0053.628] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x5aa, lpOverlapped=0x0) returned 1 [0053.639] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.639] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x5aa, lpOverlapped=0x0) returned 1 [0053.639] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.639] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0053.640] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0053.640] CloseHandle (hObject=0x1d8) returned 1 [0053.640] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.protected") returned 93 [0053.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.protected")) returned 1 [0053.641] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0053.641] lstrcmpiW (lpString1="PubLR.cab", lpString2="Windows") returned -1 [0053.641] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files") returned 1 [0053.641] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files (x86)") returned 1 [0053.641] lstrcmpiW (lpString1="PubLR.cab", lpString2="$Recycle.bin") returned 1 [0053.641] lstrcmpiW (lpString1="PubLR.cab", lpString2="System Volume Information") returned -1 [0053.641] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0053.641] StrStrIW (lpFirst="PubLR.cab", lpSrch=".protected") returned 0x0 [0053.641] lstrcmpW (lpString1="PubLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0053.641] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0053.641] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0053.641] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0053.642] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0053.642] StrStrW (lpFirst="PubLR.cab", lpSrch=".txt") returned 0x0 [0053.642] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0053.642] StrStrW (lpFirst="PubLR.cab", lpSrch=".rar") returned 0x0 [0053.642] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0053.642] StrStrW (lpFirst="PubLR.cab", lpSrch=".zip") returned 0x0 [0053.642] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0053.652] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.652] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0053.653] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.653] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0053.666] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0053.667] CloseHandle (hObject=0x1d8) returned 1 [0054.313] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.protected") returned 86 [0054.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.protected")) returned 1 [0054.317] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0054.317] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0054.317] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0054.318] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0054.318] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0054.318] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0054.318] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0054.318] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0054.318] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0054.318] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0054.318] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0054.318] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0054.318] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0054.318] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0054.318] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0054.318] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0054.318] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0054.318] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0054.318] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x648, lpOverlapped=0x0) returned 1 [0054.373] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.373] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x648, lpOverlapped=0x0) returned 1 [0054.373] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.373] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0054.373] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0054.373] CloseHandle (hObject=0x1d8) returned 1 [0054.374] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0054.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0054.380] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0054.380] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0054.380] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0054.380] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0054.380] lstrlenA (lpString="EMPTY") returned 5 [0054.380] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0054.381] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0054.381] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0054.381] CloseHandle (hObject=0x1d4) returned 1 [0054.381] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0054.381] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0054.381] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0054.381] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0054.381] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0054.381] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0054.381] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned 66 [0054.381] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0054.381] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0054.381] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned 68 [0054.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0054.419] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0054.419] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0054.419] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0054.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0054.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0054.419] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.") returned 68 [0054.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.419] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0054.419] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0054.419] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0054.419] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0054.419] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.419] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0054.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0054.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0054.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0054.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0054.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0054.419] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..") returned 69 [0054.419] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0054.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.420] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0054.420] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0054.420] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0054.420] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0054.420] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.420] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0054.420] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Windows") returned -1 [0054.420] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files") returned -1 [0054.420] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files (x86)") returned -1 [0054.420] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$Recycle.bin") returned 1 [0054.420] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="System Volume Information") returned -1 [0054.420] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0054.420] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".protected") returned 0x0 [0054.420] lstrcmpW (lpString1="OutlkLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0054.420] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0054.420] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0054.420] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0054.420] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0054.420] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".txt") returned 0x0 [0054.420] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0054.420] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".rar") returned 0x0 [0054.420] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0054.420] StrStrW (lpFirst="OutlkLR.cab", lpSrch=".zip") returned 0x0 [0054.420] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0054.514] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.514] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0054.531] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.531] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0054.561] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0054.561] CloseHandle (hObject=0x1d8) returned 1 [0055.762] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.protected") returned 88 [0055.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.protected")) returned 1 [0055.763] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0055.763] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Windows") returned -1 [0055.763] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files") returned -1 [0055.763] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files (x86)") returned -1 [0055.763] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$Recycle.bin") returned 1 [0055.763] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="System Volume Information") returned -1 [0055.763] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0055.763] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".protected") returned 0x0 [0055.763] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0055.763] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0055.763] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0055.763] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0055.764] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0055.764] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".txt") returned 0x0 [0055.764] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0055.764] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".rar") returned 0x0 [0055.764] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0055.764] StrStrW (lpFirst="OutlookMUI.msi", lpSrch=".zip") returned 0x0 [0055.764] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0055.838] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.838] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0055.838] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.838] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0055.926] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0055.926] CloseHandle (hObject=0x1d8) returned 1 [0056.481] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.protected") returned 91 [0056.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.protected")) returned 1 [0056.481] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0056.482] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Windows") returned -1 [0056.482] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files") returned -1 [0056.482] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files (x86)") returned -1 [0056.482] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$Recycle.bin") returned 1 [0056.482] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="System Volume Information") returned -1 [0056.482] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0056.482] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".protected") returned 0x0 [0056.482] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0056.482] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0056.482] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0056.482] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0056.482] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0056.482] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".txt") returned 0x0 [0056.482] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0056.482] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".rar") returned 0x0 [0056.482] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0056.482] StrStrW (lpFirst="OutlookMUI.xml", lpSrch=".zip") returned 0x0 [0056.482] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0xc72, lpOverlapped=0x0) returned 1 [0056.505] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff38e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.505] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0xc72, lpOverlapped=0x0) returned 1 [0056.505] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.505] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0056.505] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0056.506] CloseHandle (hObject=0x1d8) returned 1 [0056.506] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.protected") returned 91 [0056.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.protected")) returned 1 [0056.507] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0056.507] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0056.507] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0056.507] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0056.507] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0056.507] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0056.507] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.507] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0056.507] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0056.507] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0056.507] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0056.507] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0056.508] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.508] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0056.508] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.508] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0056.508] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.508] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0056.508] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x106f, lpOverlapped=0x0) returned 1 [0056.531] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffef91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.531] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x106f, lpOverlapped=0x0) returned 1 [0056.532] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.532] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0056.532] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0056.532] CloseHandle (hObject=0x1d8) returned 1 [0056.535] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0056.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0056.535] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0056.535] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0056.535] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0056.535] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0056.536] lstrlenA (lpString="EMPTY") returned 5 [0056.536] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0056.536] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0056.536] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0056.536] CloseHandle (hObject=0x1d4) returned 1 [0056.537] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0056.537] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0056.537] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0056.537] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0056.537] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0056.537] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0056.537] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned 66 [0056.537] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0056.537] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0056.537] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned 68 [0056.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0056.537] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0056.537] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0056.537] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0056.538] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0056.538] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0056.538] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.") returned 68 [0056.538] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.538] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0056.538] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0056.538] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0056.538] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0056.538] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0056.538] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0056.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0056.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0056.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0056.538] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0056.538] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0056.538] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..") returned 69 [0056.538] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.538] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.538] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0056.538] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0056.538] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0056.538] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0056.538] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0056.538] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0056.538] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0056.538] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0056.538] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0056.538] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0056.538] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0056.538] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.538] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0056.538] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0056.538] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0056.538] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0056.538] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0056.539] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.539] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0056.539] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.539] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0056.539] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0056.539] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0056.539] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x978, lpOverlapped=0x0) returned 1 [0056.597] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff688, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.597] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x978, lpOverlapped=0x0) returned 1 [0056.597] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.598] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0056.598] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0056.598] CloseHandle (hObject=0x1d8) returned 1 [0056.600] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0056.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0056.921] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0056.921] lstrcmpiW (lpString1="WordLR.cab", lpString2="Windows") returned 1 [0056.921] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files") returned 1 [0056.921] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files (x86)") returned 1 [0056.921] lstrcmpiW (lpString1="WordLR.cab", lpString2="$Recycle.bin") returned 1 [0056.921] lstrcmpiW (lpString1="WordLR.cab", lpString2="System Volume Information") returned 1 [0056.921] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0056.921] StrStrIW (lpFirst="WordLR.cab", lpSrch=".protected") returned 0x0 [0056.922] lstrcmpW (lpString1="WordLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0056.922] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0056.922] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0056.922] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0056.922] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0056.922] StrStrW (lpFirst="WordLR.cab", lpSrch=".txt") returned 0x0 [0056.922] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0056.922] StrStrW (lpFirst="WordLR.cab", lpSrch=".rar") returned 0x0 [0056.922] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0056.922] StrStrW (lpFirst="WordLR.cab", lpSrch=".zip") returned 0x0 [0056.922] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0056.946] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.946] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0056.947] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.947] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0056.948] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0056.948] CloseHandle (hObject=0x1d8) returned 1 [0057.355] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.protected") returned 87 [0057.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.protected")) returned 1 [0057.356] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0057.356] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Windows") returned 1 [0057.356] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files") returned 1 [0057.356] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files (x86)") returned 1 [0057.356] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$Recycle.bin") returned 1 [0057.356] lstrcmpiW (lpString1="WordMUI.msi", lpString2="System Volume Information") returned 1 [0057.356] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0057.356] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".protected") returned 0x0 [0057.356] lstrcmpW (lpString1="WordMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0057.356] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0057.356] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0057.356] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0057.356] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0057.357] StrStrW (lpFirst="WordMUI.msi", lpSrch=".txt") returned 0x0 [0057.357] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0057.357] StrStrW (lpFirst="WordMUI.msi", lpSrch=".rar") returned 0x0 [0057.357] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0057.357] StrStrW (lpFirst="WordMUI.msi", lpSrch=".zip") returned 0x0 [0057.357] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0057.424] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.424] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0057.424] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.424] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0057.428] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0057.429] CloseHandle (hObject=0x1d8) returned 1 [0057.873] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.protected") returned 88 [0057.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.protected")) returned 1 [0057.877] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0057.877] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Windows") returned 1 [0057.877] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files") returned 1 [0057.877] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files (x86)") returned 1 [0057.877] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$Recycle.bin") returned 1 [0057.877] lstrcmpiW (lpString1="WordMUI.xml", lpString2="System Volume Information") returned 1 [0057.877] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0057.877] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".protected") returned 0x0 [0057.877] lstrcmpW (lpString1="WordMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0057.877] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0057.877] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0057.877] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0057.877] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0057.877] StrStrW (lpFirst="WordMUI.xml", lpSrch=".txt") returned 0x0 [0057.877] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0057.877] StrStrW (lpFirst="WordMUI.xml", lpSrch=".rar") returned 0x0 [0057.877] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0057.877] StrStrW (lpFirst="WordMUI.xml", lpSrch=".zip") returned 0x0 [0057.877] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x708, lpOverlapped=0x0) returned 1 [0057.898] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.898] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x708, lpOverlapped=0x0) returned 1 [0057.898] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.898] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0057.898] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0057.899] CloseHandle (hObject=0x1d8) returned 1 [0057.899] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.protected") returned 88 [0057.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.protected")) returned 1 [0057.900] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0057.900] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0057.900] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0057.900] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0057.900] lstrlenA (lpString="EMPTY") returned 5 [0057.900] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0057.901] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0057.901] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0057.901] CloseHandle (hObject=0x1d4) returned 1 [0057.901] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0057.901] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0057.901] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0057.901] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0057.901] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0057.901] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0057.901] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned 66 [0057.901] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0057.901] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0057.901] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned 68 [0057.901] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0057.906] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0057.906] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0057.906] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0057.906] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0057.906] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0057.906] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.") returned 68 [0057.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.906] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0057.906] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0057.906] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0057.906] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0057.906] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.906] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0057.906] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0057.906] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0057.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0057.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0057.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0057.907] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..") returned 69 [0057.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.907] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0057.907] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0057.907] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0057.907] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0057.907] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.907] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0057.907] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0057.907] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files") returned 1 [0057.907] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files (x86)") returned 1 [0057.907] lstrcmpiW (lpString1="Proof.en", lpString2="$Recycle.bin") returned 1 [0057.907] lstrcmpiW (lpString1="Proof.en", lpString2="System Volume Information") returned -1 [0057.907] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned 75 [0057.907] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0057.907] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0057.907] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned 77 [0057.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0057.907] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0057.907] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0057.907] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0057.907] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0057.907] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0057.907] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\.") returned 77 [0057.907] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.907] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0057.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0057.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0057.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0057.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0057.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0057.907] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\..") returned 78 [0057.908] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.908] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.908] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0057.908] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0057.908] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0057.908] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0057.908] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0057.908] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0057.908] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0057.908] StrStrIW (lpFirst="Proof.cab", lpSrch=".protected") returned 0x0 [0057.908] lstrcmpW (lpString1="Proof.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0057.908] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0057.908] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0057.908] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0057.908] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0057.909] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0057.909] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0057.909] StrStrW (lpFirst="Proof.cab", lpSrch=".rar") returned 0x0 [0057.909] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0057.909] StrStrW (lpFirst="Proof.cab", lpSrch=".zip") returned 0x0 [0057.909] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0057.916] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.916] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0057.916] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.916] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0057.923] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0057.923] CloseHandle (hObject=0x1dc) returned 1 [0058.354] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.protected") returned 95 [0058.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.protected")) returned 1 [0058.355] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0058.355] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0058.355] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0058.355] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0058.355] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0058.355] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0058.355] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0058.355] StrStrIW (lpFirst="Proof.msi", lpSrch=".protected") returned 0x0 [0058.355] lstrcmpW (lpString1="Proof.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0058.355] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0058.355] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0058.355] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0058.356] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0058.356] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0058.356] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0058.356] StrStrW (lpFirst="Proof.msi", lpSrch=".rar") returned 0x0 [0058.356] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0058.356] StrStrW (lpFirst="Proof.msi", lpSrch=".zip") returned 0x0 [0058.356] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0058.571] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.571] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0058.572] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.572] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0058.689] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0058.689] CloseHandle (hObject=0x1dc) returned 1 [0058.723] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.protected") returned 95 [0058.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.protected")) returned 1 [0058.723] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0058.723] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0058.723] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0058.723] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0058.723] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0058.723] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0058.723] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0058.723] StrStrIW (lpFirst="Proof.xml", lpSrch=".protected") returned 0x0 [0058.723] lstrcmpW (lpString1="Proof.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0058.723] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0058.723] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0058.723] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0058.723] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0058.724] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0058.724] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0058.724] StrStrW (lpFirst="Proof.xml", lpSrch=".rar") returned 0x0 [0058.724] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0058.724] StrStrW (lpFirst="Proof.xml", lpSrch=".zip") returned 0x0 [0058.724] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x543, lpOverlapped=0x0) returned 1 [0058.744] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.744] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x543, lpOverlapped=0x0) returned 1 [0058.744] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.744] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0058.744] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0058.744] CloseHandle (hObject=0x1dc) returned 1 [0058.745] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.protected") returned 95 [0058.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.protected")) returned 1 [0058.819] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0058.819] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0058.819] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 105 [0058.819] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0058.820] lstrlenA (lpString="EMPTY") returned 5 [0058.820] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0058.820] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0058.820] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0058.821] CloseHandle (hObject=0x1d8) returned 1 [0058.821] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0058.821] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0058.821] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files") returned 1 [0058.821] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files (x86)") returned 1 [0058.821] lstrcmpiW (lpString1="Proof.es", lpString2="$Recycle.bin") returned 1 [0058.821] lstrcmpiW (lpString1="Proof.es", lpString2="System Volume Information") returned -1 [0058.821] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned 75 [0058.821] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0058.821] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0058.821] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned 77 [0058.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0058.821] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.821] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.821] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.821] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.821] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.821] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\.") returned 77 [0058.821] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.821] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0058.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.821] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.821] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.821] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.821] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\..") returned 78 [0058.822] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.822] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.822] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0058.822] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0058.822] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0058.822] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0058.822] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0058.822] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0058.822] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0058.822] StrStrIW (lpFirst="Proof.cab", lpSrch=".protected") returned 0x0 [0058.822] lstrcmpW (lpString1="Proof.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0058.822] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0058.822] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0058.822] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0058.822] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0058.822] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0058.822] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0058.823] StrStrW (lpFirst="Proof.cab", lpSrch=".rar") returned 0x0 [0058.823] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0058.823] StrStrW (lpFirst="Proof.cab", lpSrch=".zip") returned 0x0 [0058.823] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0058.836] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.836] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0058.836] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.836] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0058.967] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0058.967] CloseHandle (hObject=0x1dc) returned 1 [0059.431] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.protected") returned 95 [0059.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.protected")) returned 1 [0059.432] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0059.432] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0059.432] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0059.432] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0059.432] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0059.432] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0059.432] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0059.432] StrStrIW (lpFirst="Proof.msi", lpSrch=".protected") returned 0x0 [0059.432] lstrcmpW (lpString1="Proof.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0059.432] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0059.432] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0059.432] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0059.433] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0059.433] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0059.433] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0059.433] StrStrW (lpFirst="Proof.msi", lpSrch=".rar") returned 0x0 [0059.433] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0059.433] StrStrW (lpFirst="Proof.msi", lpSrch=".zip") returned 0x0 [0059.433] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0059.434] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.434] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0059.434] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.434] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0059.462] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0059.462] CloseHandle (hObject=0x1dc) returned 1 [0059.473] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.protected") returned 95 [0059.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.protected")) returned 1 [0059.474] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0059.474] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0059.474] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0059.474] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0059.474] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0059.474] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0059.474] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0059.474] StrStrIW (lpFirst="Proof.xml", lpSrch=".protected") returned 0x0 [0059.474] lstrcmpW (lpString1="Proof.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0059.474] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0059.474] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0059.474] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0059.474] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0059.474] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0059.474] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0059.474] StrStrW (lpFirst="Proof.xml", lpSrch=".rar") returned 0x0 [0059.474] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0059.474] StrStrW (lpFirst="Proof.xml", lpSrch=".zip") returned 0x0 [0059.474] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x5b1, lpOverlapped=0x0) returned 1 [0059.519] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.519] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x5b1, lpOverlapped=0x0) returned 1 [0059.623] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.623] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0059.623] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0059.623] CloseHandle (hObject=0x1dc) returned 1 [0059.624] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.protected") returned 95 [0059.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.protected")) returned 1 [0059.626] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0059.626] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0059.626] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 105 [0059.626] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0059.626] lstrlenA (lpString="EMPTY") returned 5 [0059.626] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0059.627] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0059.627] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0059.627] CloseHandle (hObject=0x1d8) returned 1 [0059.627] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0059.627] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0059.627] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files") returned 1 [0059.627] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files (x86)") returned 1 [0059.627] lstrcmpiW (lpString1="Proof.fr", lpString2="$Recycle.bin") returned 1 [0059.627] lstrcmpiW (lpString1="Proof.fr", lpString2="System Volume Information") returned -1 [0059.627] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned 75 [0059.627] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0059.627] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0059.627] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned 77 [0059.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0059.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.627] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\.") returned 77 [0059.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.627] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0059.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.627] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.627] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.628] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\..") returned 78 [0059.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.628] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0059.628] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0059.628] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0059.628] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0059.628] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0059.628] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0059.628] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0059.628] StrStrIW (lpFirst="Proof.cab", lpSrch=".protected") returned 0x0 [0059.628] lstrcmpW (lpString1="Proof.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0059.628] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0059.628] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0059.628] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0059.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0059.628] StrStrW (lpFirst="Proof.cab", lpSrch=".txt") returned 0x0 [0059.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0059.628] StrStrW (lpFirst="Proof.cab", lpSrch=".rar") returned 0x0 [0059.628] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0059.628] StrStrW (lpFirst="Proof.cab", lpSrch=".zip") returned 0x0 [0059.628] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0059.637] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.637] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0059.637] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.637] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0059.641] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0059.641] CloseHandle (hObject=0x1dc) returned 1 [0060.317] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.protected") returned 95 [0060.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.protected")) returned 1 [0060.317] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0060.317] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0060.317] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0060.317] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0060.317] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0060.317] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0060.318] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0060.318] StrStrIW (lpFirst="Proof.msi", lpSrch=".protected") returned 0x0 [0060.318] lstrcmpW (lpString1="Proof.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0060.318] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0060.318] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0060.318] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0060.318] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0060.319] StrStrW (lpFirst="Proof.msi", lpSrch=".txt") returned 0x0 [0060.319] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0060.319] StrStrW (lpFirst="Proof.msi", lpSrch=".rar") returned 0x0 [0060.319] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0060.319] StrStrW (lpFirst="Proof.msi", lpSrch=".zip") returned 0x0 [0060.319] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0060.320] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.320] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0060.321] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.321] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0060.413] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0060.413] CloseHandle (hObject=0x1dc) returned 1 [0060.483] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.protected") returned 95 [0060.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.protected")) returned 1 [0060.484] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0060.484] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0060.484] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0060.484] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0060.484] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0060.484] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0060.484] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0060.484] StrStrIW (lpFirst="Proof.xml", lpSrch=".protected") returned 0x0 [0060.484] lstrcmpW (lpString1="Proof.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0060.484] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0060.484] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0060.484] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0060.484] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0060.484] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0060.484] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0060.490] StrStrW (lpFirst="Proof.xml", lpSrch=".rar") returned 0x0 [0060.490] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0060.490] StrStrW (lpFirst="Proof.xml", lpSrch=".zip") returned 0x0 [0060.490] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x5b2, lpOverlapped=0x0) returned 1 [0060.537] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.537] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x5b2, lpOverlapped=0x0) returned 1 [0060.537] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.537] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0060.537] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0060.538] CloseHandle (hObject=0x1dc) returned 1 [0060.538] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.protected") returned 95 [0060.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.protected")) returned 1 [0060.559] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0060.559] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0060.560] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 105 [0060.560] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0060.560] lstrlenA (lpString="EMPTY") returned 5 [0060.560] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0060.560] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0060.560] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0060.561] CloseHandle (hObject=0x1d8) returned 1 [0060.561] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0060.561] lstrcmpiW (lpString1="Proofing.msi", lpString2="Windows") returned -1 [0060.561] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files") returned 1 [0060.561] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files (x86)") returned 1 [0060.561] lstrcmpiW (lpString1="Proofing.msi", lpString2="$Recycle.bin") returned 1 [0060.561] lstrcmpiW (lpString1="Proofing.msi", lpString2="System Volume Information") returned -1 [0060.561] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0060.561] StrStrIW (lpFirst="Proofing.msi", lpSrch=".protected") returned 0x0 [0060.561] lstrcmpW (lpString1="Proofing.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0060.561] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0060.561] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0060.561] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0060.561] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0060.561] StrStrW (lpFirst="Proofing.msi", lpSrch=".txt") returned 0x0 [0060.561] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0060.561] StrStrW (lpFirst="Proofing.msi", lpSrch=".rar") returned 0x0 [0060.561] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0060.561] StrStrW (lpFirst="Proofing.msi", lpSrch=".zip") returned 0x0 [0060.561] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0060.570] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.570] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0060.571] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.571] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0060.591] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0060.592] CloseHandle (hObject=0x1d8) returned 1 [0060.614] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.protected") returned 89 [0060.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.protected")) returned 1 [0060.615] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0060.615] lstrcmpiW (lpString1="Proofing.xml", lpString2="Windows") returned -1 [0060.615] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files") returned 1 [0060.615] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files (x86)") returned 1 [0060.615] lstrcmpiW (lpString1="Proofing.xml", lpString2="$Recycle.bin") returned 1 [0060.615] lstrcmpiW (lpString1="Proofing.xml", lpString2="System Volume Information") returned -1 [0060.615] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0060.615] StrStrIW (lpFirst="Proofing.xml", lpSrch=".protected") returned 0x0 [0060.615] lstrcmpW (lpString1="Proofing.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0060.615] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0060.615] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0060.615] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0060.615] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0060.615] StrStrW (lpFirst="Proofing.xml", lpSrch=".txt") returned 0x0 [0060.615] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0060.615] StrStrW (lpFirst="Proofing.xml", lpSrch=".rar") returned 0x0 [0060.615] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0060.615] StrStrW (lpFirst="Proofing.xml", lpSrch=".zip") returned 0x0 [0060.615] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x32b, lpOverlapped=0x0) returned 1 [0060.628] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.628] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x32b, lpOverlapped=0x0) returned 1 [0060.628] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.628] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0060.628] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0060.628] CloseHandle (hObject=0x1d8) returned 1 [0060.628] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.protected") returned 89 [0060.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.protected")) returned 1 [0060.629] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0060.629] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0060.629] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0060.629] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0060.629] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0060.629] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0060.629] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.629] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0060.629] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0060.629] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0060.629] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0060.629] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0060.629] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.629] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0060.629] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.629] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0060.629] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0060.630] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0060.630] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x16fc, lpOverlapped=0x0) returned 1 [0060.749] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.749] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x16fc, lpOverlapped=0x0) returned 1 [0060.749] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.749] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0060.749] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0060.749] CloseHandle (hObject=0x1d8) returned 1 [0060.750] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0060.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0060.750] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0060.751] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0060.751] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0060.751] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0060.751] lstrlenA (lpString="EMPTY") returned 5 [0060.751] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0060.751] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0060.751] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0060.752] CloseHandle (hObject=0x1d4) returned 1 [0060.752] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0060.752] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0060.752] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0060.752] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0060.752] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0060.752] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0060.752] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned 66 [0060.752] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0060.752] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0060.752] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned 68 [0060.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0060.849] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0060.849] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0060.849] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0060.849] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0060.849] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0060.849] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.") returned 68 [0060.849] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.849] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0060.849] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0060.849] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0060.850] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0060.850] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0060.850] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0060.850] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0060.850] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0060.850] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0060.850] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0060.850] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0060.850] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..") returned 69 [0060.850] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.850] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0060.850] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0060.850] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0060.850] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0060.850] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0060.850] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0060.850] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Windows") returned -1 [0060.850] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files") returned -1 [0060.850] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files (x86)") returned -1 [0060.850] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$Recycle.bin") returned 1 [0060.850] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="System Volume Information") returned -1 [0060.850] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0060.850] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".protected") returned 0x0 [0060.850] lstrcmpW (lpString1="Office32MUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0060.850] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0060.850] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0060.850] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0060.851] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0060.851] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".txt") returned 0x0 [0060.851] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0060.851] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".rar") returned 0x0 [0060.851] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0060.851] StrStrW (lpFirst="Office32MUI.msi", lpSrch=".zip") returned 0x0 [0060.851] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0060.925] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.925] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0060.925] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.925] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0060.983] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0060.983] CloseHandle (hObject=0x1d8) returned 1 [0061.089] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.protected") returned 92 [0061.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.protected")) returned 1 [0061.090] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.090] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Windows") returned -1 [0061.090] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files") returned -1 [0061.090] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files (x86)") returned -1 [0061.090] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$Recycle.bin") returned 1 [0061.090] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="System Volume Information") returned -1 [0061.090] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0061.090] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".protected") returned 0x0 [0061.090] lstrcmpW (lpString1="Office32MUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.090] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.090] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.090] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.090] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0061.090] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".txt") returned 0x0 [0061.090] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0061.090] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".rar") returned 0x0 [0061.090] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0061.090] StrStrW (lpFirst="Office32MUI.xml", lpSrch=".zip") returned 0x0 [0061.090] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x567, lpOverlapped=0x0) returned 1 [0061.259] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffa99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.260] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x567, lpOverlapped=0x0) returned 1 [0061.260] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.260] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0061.260] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0061.260] CloseHandle (hObject=0x1d8) returned 1 [0061.261] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.protected") returned 92 [0061.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.protected")) returned 1 [0061.261] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.261] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Windows") returned -1 [0061.261] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files") returned -1 [0061.261] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files (x86)") returned -1 [0061.261] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$Recycle.bin") returned 1 [0061.261] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="System Volume Information") returned -1 [0061.262] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0061.262] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".protected") returned 0x0 [0061.262] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.262] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.262] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.262] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.262] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0061.262] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".txt") returned 0x0 [0061.262] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0061.262] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".rar") returned 0x0 [0061.262] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0061.262] StrStrW (lpFirst="OWOW32LR.cab", lpSrch=".zip") returned 0x0 [0061.262] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0061.352] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.352] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0061.353] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.353] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0061.369] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0061.369] CloseHandle (hObject=0x1d8) returned 1 [0061.730] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.protected") returned 89 [0061.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.protected")) returned 1 [0061.730] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.730] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0061.730] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0061.730] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0061.730] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0061.731] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0061.731] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.731] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0061.731] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.731] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.731] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.731] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.731] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.731] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0061.731] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.731] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0061.731] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.731] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0061.731] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x93a, lpOverlapped=0x0) returned 1 [0061.745] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff6c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.745] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x93a, lpOverlapped=0x0) returned 1 [0061.745] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.745] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0061.745] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0061.745] CloseHandle (hObject=0x1d8) returned 1 [0061.746] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0061.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0061.747] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0061.747] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0061.747] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0061.747] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0061.747] lstrlenA (lpString="EMPTY") returned 5 [0061.747] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0061.748] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0061.748] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0061.748] CloseHandle (hObject=0x1d4) returned 1 [0061.749] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0061.749] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0061.749] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0061.749] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0061.749] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0061.749] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0061.749] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned 66 [0061.749] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0061.749] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0061.749] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned 68 [0061.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0061.759] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0061.759] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0061.759] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0061.759] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0061.759] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0061.759] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.") returned 68 [0061.759] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.759] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0061.759] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0061.759] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.759] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.759] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0061.759] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.759] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0061.760] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0061.760] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0061.760] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0061.760] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0061.760] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..") returned 69 [0061.760] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.760] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.760] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0061.760] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0061.760] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.760] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.760] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0061.760] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.760] lstrcmpiW (lpString1="InfLR.cab", lpString2="Windows") returned -1 [0061.760] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files") returned -1 [0061.760] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files (x86)") returned -1 [0061.760] lstrcmpiW (lpString1="InfLR.cab", lpString2="$Recycle.bin") returned 1 [0061.760] lstrcmpiW (lpString1="InfLR.cab", lpString2="System Volume Information") returned -1 [0061.760] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0061.760] StrStrIW (lpFirst="InfLR.cab", lpSrch=".protected") returned 0x0 [0061.760] lstrcmpW (lpString1="InfLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.760] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.760] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.760] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.761] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0061.761] StrStrW (lpFirst="InfLR.cab", lpSrch=".txt") returned 0x0 [0061.761] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0061.761] StrStrW (lpFirst="InfLR.cab", lpSrch=".rar") returned 0x0 [0061.761] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0061.761] StrStrW (lpFirst="InfLR.cab", lpSrch=".zip") returned 0x0 [0061.761] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0061.778] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.778] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0061.778] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.779] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0061.780] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0061.780] CloseHandle (hObject=0x1d8) returned 1 [0061.884] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.protected") returned 86 [0061.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.protected")) returned 1 [0061.884] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.884] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Windows") returned -1 [0061.884] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files") returned -1 [0061.884] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files (x86)") returned -1 [0061.884] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$Recycle.bin") returned 1 [0061.884] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="System Volume Information") returned -1 [0061.885] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0061.885] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".protected") returned 0x0 [0061.885] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.885] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.885] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.885] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.885] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0061.885] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".txt") returned 0x0 [0061.885] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0061.885] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".rar") returned 0x0 [0061.885] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0061.885] StrStrW (lpFirst="InfoPathMUI.msi", lpSrch=".zip") returned 0x0 [0061.885] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0061.902] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.903] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0061.903] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.903] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0061.905] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0061.905] CloseHandle (hObject=0x1d8) returned 1 [0061.905] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.protected") returned 92 [0061.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.protected")) returned 1 [0061.907] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.907] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Windows") returned -1 [0061.907] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files") returned -1 [0061.907] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files (x86)") returned -1 [0061.907] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$Recycle.bin") returned 1 [0061.907] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="System Volume Information") returned -1 [0061.907] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0061.907] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".protected") returned 0x0 [0061.907] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.907] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.907] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.907] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.907] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0061.907] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".txt") returned 0x0 [0061.907] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0061.907] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".rar") returned 0x0 [0061.908] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0061.908] StrStrW (lpFirst="InfoPathMUI.xml", lpSrch=".zip") returned 0x0 [0061.908] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x4cf, lpOverlapped=0x0) returned 1 [0061.927] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffb31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.928] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x4cf, lpOverlapped=0x0) returned 1 [0061.928] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.928] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0061.928] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0061.928] CloseHandle (hObject=0x1d8) returned 1 [0061.928] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.protected") returned 92 [0061.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.protected")) returned 1 [0061.929] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0061.929] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0061.929] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0061.929] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0061.929] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0061.929] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0061.929] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.929] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0061.929] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0061.929] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0061.929] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0061.929] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0061.929] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.930] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0061.930] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.930] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0061.930] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0061.930] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0061.930] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x73c, lpOverlapped=0x0) returned 1 [0061.959] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.959] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x73c, lpOverlapped=0x0) returned 1 [0062.070] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.070] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.070] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.070] CloseHandle (hObject=0x1d8) returned 1 [0062.071] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0062.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0062.128] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0062.128] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0062.128] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0062.128] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0062.128] lstrlenA (lpString="EMPTY") returned 5 [0062.128] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0062.129] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0062.129] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0062.129] CloseHandle (hObject=0x1d4) returned 1 [0062.129] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0062.130] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0062.130] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0062.130] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0062.130] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0062.130] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0062.130] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned 66 [0062.130] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0062.130] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0062.130] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned 68 [0062.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0062.139] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.139] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.157] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.157] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.158] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.158] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.") returned 68 [0062.263] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.263] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0062.263] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.263] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.263] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.263] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.263] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.263] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.263] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.263] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.263] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.263] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.263] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..") returned 69 [0062.263] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.263] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.263] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0062.263] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.263] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.263] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.263] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.263] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.263] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0062.263] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0062.264] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0062.264] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0062.264] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0062.264] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.264] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0062.264] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.264] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.264] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.264] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.278] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.278] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0062.278] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.278] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0062.278] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.278] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0062.278] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x1861, lpOverlapped=0x0) returned 1 [0062.330] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffe79f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.330] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x1861, lpOverlapped=0x0) returned 1 [0062.330] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.330] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.330] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.330] CloseHandle (hObject=0x1d8) returned 1 [0062.330] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0062.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0062.332] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.332] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Windows") returned -1 [0062.332] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files") returned 1 [0062.332] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files (x86)") returned 1 [0062.332] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$Recycle.bin") returned 1 [0062.332] lstrcmpiW (lpString1="VisioLR.cab", lpString2="System Volume Information") returned 1 [0062.332] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0062.332] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".protected") returned 0x0 [0062.332] lstrcmpW (lpString1="VisioLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.332] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.332] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.333] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.333] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0062.333] StrStrW (lpFirst="VisioLR.cab", lpSrch=".txt") returned 0x0 [0062.333] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0062.333] StrStrW (lpFirst="VisioLR.cab", lpSrch=".rar") returned 0x0 [0062.333] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0062.333] StrStrW (lpFirst="VisioLR.cab", lpSrch=".zip") returned 0x0 [0062.333] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.349] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.349] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.349] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.350] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.351] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.351] CloseHandle (hObject=0x1d8) returned 1 [0062.352] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.protected") returned 88 [0062.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.protected")) returned 1 [0062.352] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.352] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Windows") returned -1 [0062.352] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files") returned 1 [0062.352] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files (x86)") returned 1 [0062.352] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$Recycle.bin") returned 1 [0062.352] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="System Volume Information") returned 1 [0062.352] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0062.352] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".protected") returned 0x0 [0062.353] lstrcmpW (lpString1="VisioMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.353] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.353] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.353] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.353] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0062.353] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".txt") returned 0x0 [0062.353] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0062.353] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".rar") returned 0x0 [0062.353] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0062.353] StrStrW (lpFirst="VisioMUI.msi", lpSrch=".zip") returned 0x0 [0062.353] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.373] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.373] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.374] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.374] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.374] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.374] CloseHandle (hObject=0x1d8) returned 1 [0062.465] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.protected") returned 89 [0062.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.protected")) returned 1 [0062.465] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.465] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Windows") returned -1 [0062.465] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files") returned 1 [0062.465] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files (x86)") returned 1 [0062.465] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$Recycle.bin") returned 1 [0062.465] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="System Volume Information") returned 1 [0062.466] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0062.466] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".protected") returned 0x0 [0062.466] lstrcmpW (lpString1="VisioMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.466] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.466] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.466] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.466] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0062.466] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".txt") returned 0x0 [0062.466] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0062.466] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".rar") returned 0x0 [0062.466] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0062.466] StrStrW (lpFirst="VisioMUI.xml", lpSrch=".zip") returned 0x0 [0062.466] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x251f, lpOverlapped=0x0) returned 1 [0062.468] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.468] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x251f, lpOverlapped=0x0) returned 1 [0062.468] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.468] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.468] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.468] CloseHandle (hObject=0x1d8) returned 1 [0062.468] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.protected") returned 89 [0062.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.protected")) returned 1 [0062.469] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0062.469] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0062.469] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0062.469] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0062.469] lstrlenA (lpString="EMPTY") returned 5 [0062.469] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0062.470] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0062.470] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0062.470] CloseHandle (hObject=0x1d4) returned 1 [0062.470] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0062.470] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0062.470] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0062.471] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0062.471] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0062.471] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0062.471] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 66 [0062.471] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0062.471] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0062.471] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned 68 [0062.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0062.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.503] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.") returned 68 [0062.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.503] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0062.503] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.503] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.503] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.503] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.503] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.504] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..") returned 69 [0062.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.504] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0062.504] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.504] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.504] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.504] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.504] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.504] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Windows") returned -1 [0062.504] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files") returned -1 [0062.504] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files (x86)") returned -1 [0062.504] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$Recycle.bin") returned 1 [0062.504] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="System Volume Information") returned -1 [0062.504] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0062.504] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".protected") returned 0x0 [0062.504] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.504] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.504] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.504] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.504] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0062.504] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".txt") returned 0x0 [0062.505] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0062.505] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".rar") returned 0x0 [0062.505] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0062.505] StrStrW (lpFirst="OneNoteMUI.msi", lpSrch=".zip") returned 0x0 [0062.505] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.565] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.565] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.566] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.566] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.572] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.572] CloseHandle (hObject=0x1d8) returned 1 [0062.575] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.protected") returned 91 [0062.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.protected")) returned 1 [0062.575] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.575] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Windows") returned -1 [0062.575] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files") returned -1 [0062.575] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files (x86)") returned -1 [0062.575] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$Recycle.bin") returned 1 [0062.575] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="System Volume Information") returned -1 [0062.575] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0062.575] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".protected") returned 0x0 [0062.575] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.575] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.575] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.576] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.576] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0062.576] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".txt") returned 0x0 [0062.576] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0062.576] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".rar") returned 0x0 [0062.576] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0062.576] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".zip") returned 0x0 [0062.576] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x646, lpOverlapped=0x0) returned 1 [0062.627] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.627] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x646, lpOverlapped=0x0) returned 1 [0062.627] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.627] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.627] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.628] CloseHandle (hObject=0x1d8) returned 1 [0062.628] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.protected") returned 91 [0062.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.protected")) returned 1 [0062.628] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.628] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Windows") returned -1 [0062.628] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files") returned -1 [0062.628] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files (x86)") returned -1 [0062.629] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$Recycle.bin") returned 1 [0062.629] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="System Volume Information") returned -1 [0062.629] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0062.629] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".protected") returned 0x0 [0062.629] lstrcmpW (lpString1="OnoteLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.629] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.629] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.629] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.630] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0062.630] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".txt") returned 0x0 [0062.630] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0062.630] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".rar") returned 0x0 [0062.630] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0062.630] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".zip") returned 0x0 [0062.630] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.648] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.648] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.648] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.649] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.704] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.704] CloseHandle (hObject=0x1d8) returned 1 [0062.704] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.protected") returned 88 [0062.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.protected")) returned 1 [0062.704] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.704] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0062.704] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0062.704] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0062.704] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0062.705] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0062.705] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.705] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0062.705] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.705] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.705] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.705] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.705] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.705] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0062.705] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.705] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0062.705] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.705] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0062.705] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x7c4, lpOverlapped=0x0) returned 1 [0062.730] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.730] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x7c4, lpOverlapped=0x0) returned 1 [0062.731] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.731] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.731] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.731] CloseHandle (hObject=0x1d8) returned 1 [0062.731] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0062.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0062.732] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0062.732] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0062.732] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0062.732] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0062.732] lstrlenA (lpString="EMPTY") returned 5 [0062.732] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0062.733] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0062.733] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0062.733] CloseHandle (hObject=0x1d4) returned 1 [0062.733] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0062.733] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0062.733] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0062.733] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0062.733] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0062.734] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0062.734] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 66 [0062.734] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0062.734] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0062.734] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned 68 [0062.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0062.768] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.768] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.768] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.768] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.768] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.768] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.") returned 68 [0062.768] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.768] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0062.768] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.768] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.768] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.768] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.769] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.769] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..") returned 69 [0062.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.769] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0062.769] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.769] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.769] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.769] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.769] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.769] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Windows") returned -1 [0062.769] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files") returned 1 [0062.769] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files (x86)") returned 1 [0062.769] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$Recycle.bin") returned 1 [0062.769] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="System Volume Information") returned -1 [0062.769] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0062.769] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".protected") returned 0x0 [0062.769] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.769] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.769] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.769] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.886] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0062.886] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".txt") returned 0x0 [0062.886] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0062.886] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".rar") returned 0x0 [0062.886] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0062.886] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".zip") returned 0x0 [0062.886] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.888] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.888] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.888] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.888] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.890] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.890] CloseHandle (hObject=0x1d8) returned 1 [0062.890] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.protected") returned 91 [0062.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.protected")) returned 1 [0062.891] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.891] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Windows") returned -1 [0062.891] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files") returned 1 [0062.891] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files (x86)") returned 1 [0062.891] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$Recycle.bin") returned 1 [0062.891] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="System Volume Information") returned -1 [0062.891] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0062.891] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".protected") returned 0x0 [0062.891] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.891] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.891] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.892] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.893] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0062.893] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".txt") returned 0x0 [0062.893] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0062.893] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".rar") returned 0x0 [0062.893] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0062.893] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".zip") returned 0x0 [0062.893] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x5ac, lpOverlapped=0x0) returned 1 [0062.895] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.897] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x5ac, lpOverlapped=0x0) returned 1 [0062.897] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.897] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.897] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.898] CloseHandle (hObject=0x1d8) returned 1 [0062.898] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.protected") returned 91 [0062.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.protected")) returned 1 [0062.898] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.898] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Windows") returned -1 [0062.898] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files") returned 1 [0062.898] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files (x86)") returned 1 [0062.899] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$Recycle.bin") returned 1 [0062.899] lstrcmpiW (lpString1="ProjLR.cab", lpString2="System Volume Information") returned -1 [0062.899] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0062.899] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".protected") returned 0x0 [0062.899] lstrcmpW (lpString1="ProjLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.899] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.899] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.899] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.900] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0062.900] StrStrW (lpFirst="ProjLR.cab", lpSrch=".txt") returned 0x0 [0062.900] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0062.900] StrStrW (lpFirst="ProjLR.cab", lpSrch=".rar") returned 0x0 [0062.900] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0062.900] StrStrW (lpFirst="ProjLR.cab", lpSrch=".zip") returned 0x0 [0062.900] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.933] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.933] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.934] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.935] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.947] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.947] CloseHandle (hObject=0x1d8) returned 1 [0062.947] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.protected") returned 87 [0062.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.protected")) returned 1 [0062.948] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.948] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0062.948] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0062.948] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0062.948] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0062.948] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0062.948] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.948] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0062.948] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0062.948] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.948] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.948] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.949] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.949] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0062.949] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.949] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0062.949] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0062.949] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0062.949] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x750, lpOverlapped=0x0) returned 1 [0062.952] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff8b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.952] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x750, lpOverlapped=0x0) returned 1 [0062.952] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.953] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0062.953] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0062.953] CloseHandle (hObject=0x1d8) returned 1 [0062.953] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0062.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0062.954] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0062.954] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0062.954] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0062.954] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0062.954] lstrlenA (lpString="EMPTY") returned 5 [0062.954] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0062.955] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0062.955] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0062.955] CloseHandle (hObject=0x1d4) returned 1 [0062.956] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0062.956] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0062.956] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0062.956] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0062.956] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0062.956] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0062.956] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 66 [0062.956] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0062.956] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0062.956] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned 68 [0062.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0062.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.989] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.") returned 68 [0062.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.989] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0062.989] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.990] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.990] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.990] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.990] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.990] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.990] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.990] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.990] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.990] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.990] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..") returned 69 [0062.990] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.990] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0062.990] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.990] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.990] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.990] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.990] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0062.990] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Windows") returned -1 [0062.990] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files") returned -1 [0062.990] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files (x86)") returned -1 [0062.990] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$Recycle.bin") returned 1 [0062.991] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="System Volume Information") returned -1 [0062.991] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0062.991] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".protected") returned 0x0 [0062.991] lstrcmpW (lpString1="GrooveLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0062.991] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0062.991] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0062.991] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0062.992] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0062.992] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".txt") returned 0x0 [0062.992] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0062.992] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".rar") returned 0x0 [0062.992] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0062.992] StrStrW (lpFirst="GrooveLR.cab", lpSrch=".zip") returned 0x0 [0062.992] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.993] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.994] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0062.994] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.994] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.016] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.016] CloseHandle (hObject=0x1d8) returned 1 [0063.016] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.protected") returned 89 [0063.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.protected")) returned 1 [0063.016] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.016] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Windows") returned -1 [0063.017] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files") returned -1 [0063.017] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files (x86)") returned -1 [0063.017] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$Recycle.bin") returned 1 [0063.017] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="System Volume Information") returned -1 [0063.017] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0063.017] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".protected") returned 0x0 [0063.017] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.017] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.017] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.017] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.017] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0063.017] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".txt") returned 0x0 [0063.017] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0063.017] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".rar") returned 0x0 [0063.017] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0063.017] StrStrW (lpFirst="GrooveMUI.msi", lpSrch=".zip") returned 0x0 [0063.017] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.193] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.193] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.193] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.193] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.339] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.339] CloseHandle (hObject=0x1d8) returned 1 [0063.340] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.protected") returned 90 [0063.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.protected")) returned 1 [0063.340] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.340] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Windows") returned -1 [0063.340] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files") returned -1 [0063.340] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files (x86)") returned -1 [0063.340] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$Recycle.bin") returned 1 [0063.340] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="System Volume Information") returned -1 [0063.340] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0063.340] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".protected") returned 0x0 [0063.340] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.340] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.341] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.341] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.341] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0063.341] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".txt") returned 0x0 [0063.341] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0063.341] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".rar") returned 0x0 [0063.341] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0063.341] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".zip") returned 0x0 [0063.341] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x391, lpOverlapped=0x0) returned 1 [0063.402] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffc6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.402] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x391, lpOverlapped=0x0) returned 1 [0063.402] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.402] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.402] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.402] CloseHandle (hObject=0x1d8) returned 1 [0063.402] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.protected") returned 90 [0063.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.protected")) returned 1 [0063.403] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.403] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0063.403] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0063.403] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0063.403] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0063.403] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0063.403] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.403] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0063.403] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0063.403] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.403] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.403] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.403] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.403] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0063.403] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.403] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0063.403] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0063.403] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0063.403] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x5ac, lpOverlapped=0x0) returned 1 [0063.414] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.414] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x5ac, lpOverlapped=0x0) returned 1 [0063.414] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.414] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.414] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.414] CloseHandle (hObject=0x1d8) returned 1 [0063.414] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0063.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0063.415] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0063.415] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0063.415] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0063.415] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0063.415] lstrlenA (lpString="EMPTY") returned 5 [0063.415] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0063.416] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0063.416] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0063.416] CloseHandle (hObject=0x1d4) returned 1 [0063.416] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0063.416] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0063.416] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0063.416] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0063.416] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0063.416] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0063.416] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned 66 [0063.416] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0063.416] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0063.416] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned 68 [0063.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0063.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.452] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.") returned 68 [0063.452] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.452] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0063.452] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.452] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.452] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.452] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.453] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.453] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.453] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.453] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.453] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.453] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.453] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..") returned 69 [0063.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.453] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0063.453] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.453] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.453] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.453] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.453] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.453] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0063.453] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0063.453] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0063.453] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0063.453] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0063.453] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned 71 [0063.453] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0063.453] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0063.453] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned 73 [0063.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0063.454] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.454] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.454] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.454] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\.") returned 73 [0063.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.454] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0063.454] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.454] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.454] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.454] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.454] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.454] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\..") returned 74 [0063.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.455] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0063.455] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Windows") returned -1 [0063.455] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files") returned -1 [0063.455] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files (x86)") returned -1 [0063.455] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$Recycle.bin") returned 1 [0063.455] lstrcmpiW (lpString1="dwintl20.dll", lpString2="System Volume Information") returned -1 [0063.455] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0063.455] StrStrIW (lpFirst="dwintl20.dll", lpSrch=".protected") returned 0x0 [0063.455] lstrcmpW (lpString1="dwintl20.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.455] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0063.455] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0063.455] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0063.455] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0063.455] StrStrW (lpFirst="dwintl20.dll", lpSrch=".txt") returned 0x0 [0063.455] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0063.455] StrStrW (lpFirst="dwintl20.dll", lpSrch=".rar") returned 0x0 [0063.455] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0063.455] StrStrW (lpFirst="dwintl20.dll", lpSrch=".zip") returned 0x0 [0063.455] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0063.525] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.525] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0063.526] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.526] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0063.531] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0063.531] CloseHandle (hObject=0x1dc) returned 1 [0063.531] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.protected") returned 94 [0063.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.protected")) returned 1 [0063.532] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0063.532] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0063.532] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0063.532] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.533] lstrlenA (lpString="EMPTY") returned 5 [0063.533] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0063.533] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0063.533] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0063.534] CloseHandle (hObject=0x1d8) returned 1 [0063.534] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.534] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0063.534] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0063.534] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0063.534] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0063.534] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0063.534] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0063.534] StrStrIW (lpFirst="branding.xml", lpSrch=".protected") returned 0x0 [0063.534] lstrcmpW (lpString1="branding.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.534] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.534] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.534] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.535] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0063.535] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0063.535] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0063.535] StrStrW (lpFirst="branding.xml", lpSrch=".rar") returned 0x0 [0063.535] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0063.535] StrStrW (lpFirst="branding.xml", lpSrch=".zip") returned 0x0 [0063.535] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.562] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.562] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.562] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.562] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.569] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.569] CloseHandle (hObject=0x1d8) returned 1 [0063.570] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.protected") returned 89 [0063.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.protected")) returned 1 [0063.571] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.571] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0063.571] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files") returned -1 [0063.571] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files (x86)") returned -1 [0063.571] lstrcmpiW (lpString1="DW20.EXE", lpString2="$Recycle.bin") returned 1 [0063.571] lstrcmpiW (lpString1="DW20.EXE", lpString2="System Volume Information") returned -1 [0063.571] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0063.571] StrStrIW (lpFirst="DW20.EXE", lpSrch=".protected") returned 0x0 [0063.571] lstrcmpW (lpString1="DW20.EXE", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.571] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.571] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.571] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.572] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0063.572] StrStrW (lpFirst="DW20.EXE", lpSrch=".txt") returned 0x0 [0063.572] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0063.572] StrStrW (lpFirst="DW20.EXE", lpSrch=".rar") returned 0x0 [0063.572] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0063.572] StrStrW (lpFirst="DW20.EXE", lpSrch=".zip") returned 0x0 [0063.572] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.795] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.795] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.795] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.795] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.952] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.952] CloseHandle (hObject=0x1d8) returned 1 [0063.952] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.protected") returned 85 [0063.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.protected")) returned 1 [0063.953] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.953] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Windows") returned -1 [0063.953] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files") returned -1 [0063.953] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files (x86)") returned -1 [0063.953] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$Recycle.bin") returned 1 [0063.953] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="System Volume Information") returned -1 [0063.953] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0063.953] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".protected") returned 0x0 [0063.953] lstrcmpW (lpString1="dwdcw20.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.953] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.953] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.953] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.954] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0063.954] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".txt") returned 0x0 [0063.954] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0063.954] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".rar") returned 0x0 [0063.954] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0063.954] StrStrW (lpFirst="dwdcw20.dll", lpSrch=".zip") returned 0x0 [0063.954] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.957] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.957] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.957] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.957] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.972] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.972] CloseHandle (hObject=0x1d8) returned 1 [0063.972] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.protected") returned 88 [0063.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.protected")) returned 1 [0063.973] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.973] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Windows") returned -1 [0063.973] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files") returned -1 [0063.973] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files (x86)") returned -1 [0063.973] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$Recycle.bin") returned 1 [0063.973] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="System Volume Information") returned -1 [0063.973] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0063.973] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".protected") returned 0x0 [0063.973] lstrcmpW (lpString1="dwtrig20.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0063.973] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.973] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.973] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.974] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0063.974] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".txt") returned 0x0 [0063.974] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0063.974] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".rar") returned 0x0 [0063.974] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0063.974] StrStrW (lpFirst="dwtrig20.exe", lpSrch=".zip") returned 0x0 [0063.974] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.990] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.990] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0063.990] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.990] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0063.993] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0063.993] CloseHandle (hObject=0x1d8) returned 1 [0063.993] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.protected") returned 89 [0063.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.protected")) returned 1 [0063.994] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0063.994] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Windows") returned -1 [0063.994] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files") returned -1 [0063.994] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files (x86)") returned -1 [0063.994] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$Recycle.bin") returned 1 [0063.994] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="System Volume Information") returned -1 [0063.994] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0063.994] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".protected") returned 0x0 [0063.994] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0063.994] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0063.994] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0063.994] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0063.995] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0063.995] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".txt") returned 0x0 [0063.995] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0063.995] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".rar") returned 0x0 [0063.995] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0063.995] StrStrW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".zip") returned 0x0 [0063.995] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x741, lpOverlapped=0x0) returned 1 [0064.183] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff8bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.183] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x741, lpOverlapped=0x0) returned 1 [0064.184] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.184] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.184] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.184] CloseHandle (hObject=0x1d8) returned 1 [0064.184] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.protected") returned 104 [0064.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.protected")) returned 1 [0064.185] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.185] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Windows") returned -1 [0064.185] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files") returned -1 [0064.185] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files (x86)") returned -1 [0064.185] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$Recycle.bin") returned 1 [0064.185] lstrcmpiW (lpString1="msvcr90.dll", lpString2="System Volume Information") returned -1 [0064.185] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0064.185] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".protected") returned 0x0 [0064.185] lstrcmpW (lpString1="msvcr90.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.185] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.185] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.185] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.185] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0064.185] StrStrW (lpFirst="msvcr90.dll", lpSrch=".txt") returned 0x0 [0064.185] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0064.185] StrStrW (lpFirst="msvcr90.dll", lpSrch=".rar") returned 0x0 [0064.185] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0064.185] StrStrW (lpFirst="msvcr90.dll", lpSrch=".zip") returned 0x0 [0064.185] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.192] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.192] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.192] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.192] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.204] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.204] CloseHandle (hObject=0x1d8) returned 1 [0064.204] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.protected") returned 88 [0064.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.protected")) returned 1 [0064.205] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.205] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Windows") returned -1 [0064.205] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files") returned -1 [0064.205] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files (x86)") returned -1 [0064.205] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$Recycle.bin") returned 1 [0064.205] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="System Volume Information") returned -1 [0064.205] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0064.205] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".protected") returned 0x0 [0064.205] lstrcmpW (lpString1="OfficeLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.205] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.205] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.205] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.205] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0064.206] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".txt") returned 0x0 [0064.206] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0064.206] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".rar") returned 0x0 [0064.206] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0064.206] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".zip") returned 0x0 [0064.206] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.207] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.207] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.208] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.208] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.236] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.236] CloseHandle (hObject=0x1d8) returned 1 [0064.238] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.protected") returned 89 [0064.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.protected")) returned 1 [0064.239] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.239] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Windows") returned -1 [0064.239] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files") returned -1 [0064.239] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files (x86)") returned -1 [0064.239] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$Recycle.bin") returned 1 [0064.239] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="System Volume Information") returned -1 [0064.239] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0064.239] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".protected") returned 0x0 [0064.239] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.239] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.239] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.239] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.239] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0064.239] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".txt") returned 0x0 [0064.239] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0064.239] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".rar") returned 0x0 [0064.239] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0064.239] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".zip") returned 0x0 [0064.239] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.249] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.249] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.351] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.351] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.368] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.368] CloseHandle (hObject=0x1d8) returned 1 [0064.368] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.protected") returned 90 [0064.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.protected")) returned 1 [0064.369] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.369] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Windows") returned -1 [0064.369] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files") returned -1 [0064.369] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files (x86)") returned -1 [0064.369] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$Recycle.bin") returned 1 [0064.369] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="System Volume Information") returned -1 [0064.369] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0064.369] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".protected") returned 0x0 [0064.369] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.369] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.369] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.369] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.369] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0064.369] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".txt") returned 0x0 [0064.369] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0064.369] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".rar") returned 0x0 [0064.369] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0064.369] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".zip") returned 0x0 [0064.369] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x15b5, lpOverlapped=0x0) returned 1 [0064.398] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffea4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.398] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x15b5, lpOverlapped=0x0) returned 1 [0064.398] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.398] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.398] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.398] CloseHandle (hObject=0x1d8) returned 1 [0064.398] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.protected") returned 90 [0064.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.protected")) returned 1 [0064.399] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.399] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Windows") returned -1 [0064.399] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files") returned -1 [0064.399] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files (x86)") returned -1 [0064.399] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$Recycle.bin") returned 1 [0064.399] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="System Volume Information") returned -1 [0064.399] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0064.399] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".protected") returned 0x0 [0064.399] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.399] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.399] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.399] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.399] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0064.399] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".txt") returned 0x0 [0064.399] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0064.399] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".rar") returned 0x0 [0064.399] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0064.399] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".zip") returned 0x0 [0064.399] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.635] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.635] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.636] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.636] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.702] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.702] CloseHandle (hObject=0x1d8) returned 1 [0064.716] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.protected") returned 93 [0064.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.protected")) returned 1 [0064.716] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.716] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Windows") returned -1 [0064.716] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files") returned -1 [0064.716] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files (x86)") returned -1 [0064.716] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$Recycle.bin") returned 1 [0064.716] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="System Volume Information") returned -1 [0064.716] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0064.716] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".protected") returned 0x0 [0064.716] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.716] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.716] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.717] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.717] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0064.717] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".txt") returned 0x0 [0064.717] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0064.717] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".rar") returned 0x0 [0064.717] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0064.717] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".zip") returned 0x0 [0064.717] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x333, lpOverlapped=0x0) returned 1 [0064.751] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.751] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x333, lpOverlapped=0x0) returned 1 [0064.752] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.752] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.752] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.752] CloseHandle (hObject=0x1d8) returned 1 [0064.752] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.protected") returned 93 [0064.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.protected")) returned 1 [0064.752] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.752] lstrcmpiW (lpString1="osetupui.dll", lpString2="Windows") returned -1 [0064.752] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files") returned -1 [0064.753] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files (x86)") returned -1 [0064.753] lstrcmpiW (lpString1="osetupui.dll", lpString2="$Recycle.bin") returned 1 [0064.753] lstrcmpiW (lpString1="osetupui.dll", lpString2="System Volume Information") returned -1 [0064.753] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0064.753] StrStrIW (lpFirst="osetupui.dll", lpSrch=".protected") returned 0x0 [0064.753] lstrcmpW (lpString1="osetupui.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.753] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.753] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.753] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.753] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0064.753] StrStrW (lpFirst="osetupui.dll", lpSrch=".txt") returned 0x0 [0064.753] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0064.753] StrStrW (lpFirst="osetupui.dll", lpSrch=".rar") returned 0x0 [0064.753] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0064.753] StrStrW (lpFirst="osetupui.dll", lpSrch=".zip") returned 0x0 [0064.753] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.785] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.785] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.786] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.786] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0064.829] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0064.829] CloseHandle (hObject=0x1d8) returned 1 [0064.830] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.protected") returned 89 [0064.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.protected")) returned 1 [0064.830] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0064.830] lstrcmpiW (lpString1="pss10r.chm", lpString2="Windows") returned -1 [0064.830] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files") returned 1 [0064.830] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files (x86)") returned 1 [0064.830] lstrcmpiW (lpString1="pss10r.chm", lpString2="$Recycle.bin") returned 1 [0064.830] lstrcmpiW (lpString1="pss10r.chm", lpString2="System Volume Information") returned -1 [0064.830] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0064.830] StrStrIW (lpFirst="pss10r.chm", lpSrch=".protected") returned 0x0 [0064.831] lstrcmpW (lpString1="pss10r.chm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0064.831] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0064.831] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0064.831] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0064.831] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0064.831] StrStrW (lpFirst="pss10r.chm", lpSrch=".txt") returned 0x0 [0064.831] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0064.831] StrStrW (lpFirst="pss10r.chm", lpSrch=".rar") returned 0x0 [0064.831] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0064.831] StrStrW (lpFirst="pss10r.chm", lpSrch=".zip") returned 0x0 [0064.831] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.944] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.944] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0064.944] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.944] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.015] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.015] CloseHandle (hObject=0x1d8) returned 1 [0065.015] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.protected") returned 87 [0065.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.protected")) returned 1 [0065.017] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.017] lstrcmpiW (lpString1="setup.chm", lpString2="Windows") returned -1 [0065.017] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files") returned 1 [0065.017] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files (x86)") returned 1 [0065.017] lstrcmpiW (lpString1="setup.chm", lpString2="$Recycle.bin") returned 1 [0065.017] lstrcmpiW (lpString1="setup.chm", lpString2="System Volume Information") returned -1 [0065.017] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0065.017] StrStrIW (lpFirst="setup.chm", lpSrch=".protected") returned 0x0 [0065.017] lstrcmpW (lpString1="setup.chm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.017] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.017] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.017] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.018] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0065.018] StrStrW (lpFirst="setup.chm", lpSrch=".txt") returned 0x0 [0065.018] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0065.018] StrStrW (lpFirst="setup.chm", lpSrch=".rar") returned 0x0 [0065.018] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0065.018] StrStrW (lpFirst="setup.chm", lpSrch=".zip") returned 0x0 [0065.018] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0065.032] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.032] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0065.032] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.032] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.077] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.077] CloseHandle (hObject=0x1d8) returned 1 [0065.078] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.protected") returned 86 [0065.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.protected")) returned 1 [0065.078] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.078] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0065.078] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0065.078] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0065.078] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0065.078] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0065.078] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.078] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0065.078] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.078] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.079] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.079] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.079] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.079] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0065.079] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.079] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0065.079] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.079] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0065.079] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2488, lpOverlapped=0x0) returned 1 [0065.096] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffdb78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.096] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2488, lpOverlapped=0x0) returned 1 [0065.097] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.097] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.097] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.097] CloseHandle (hObject=0x1d8) returned 1 [0065.097] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0065.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0065.098] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.098] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Windows") returned -1 [0065.098] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files") returned 1 [0065.098] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files (x86)") returned 1 [0065.098] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$Recycle.bin") returned 1 [0065.098] lstrcmpiW (lpString1="ShellUI.MST", lpString2="System Volume Information") returned -1 [0065.098] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0065.098] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".protected") returned 0x0 [0065.098] lstrcmpW (lpString1="ShellUI.MST", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.098] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.098] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.098] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.098] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0065.098] StrStrW (lpFirst="ShellUI.MST", lpSrch=".txt") returned 0x0 [0065.098] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0065.098] StrStrW (lpFirst="ShellUI.MST", lpSrch=".rar") returned 0x0 [0065.098] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0065.098] StrStrW (lpFirst="ShellUI.MST", lpSrch=".zip") returned 0x0 [0065.098] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0xe00, lpOverlapped=0x0) returned 1 [0065.208] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.208] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0xe00, lpOverlapped=0x0) returned 1 [0065.208] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.208] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.208] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.208] CloseHandle (hObject=0x1d8) returned 1 [0065.209] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.protected") returned 88 [0065.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.protected" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.protected")) returned 1 [0065.209] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0065.209] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0065.209] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0065.210] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0065.237] lstrlenA (lpString="EMPTY") returned 5 [0065.237] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0065.238] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0065.238] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0065.238] CloseHandle (hObject=0x1d4) returned 1 [0065.238] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0065.238] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0065.238] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0065.238] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0065.239] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0065.239] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0065.239] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned 66 [0065.239] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0065.239] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0065.239] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned 68 [0065.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0065.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.281] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.281] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.281] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.281] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.281] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.") returned 68 [0065.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.281] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0065.281] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.281] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.281] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.281] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.281] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.281] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.281] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.281] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.281] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.281] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.281] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..") returned 69 [0065.281] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.281] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0065.281] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.281] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.281] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.282] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.282] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.282] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0065.282] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files") returned -1 [0065.282] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files (x86)") returned -1 [0065.282] lstrcmpiW (lpString1="Access.en-us", lpString2="$Recycle.bin") returned 1 [0065.282] lstrcmpiW (lpString1="Access.en-us", lpString2="System Volume Information") returned -1 [0065.282] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 79 [0065.282] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0065.282] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0065.282] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned 81 [0065.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0065.308] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.308] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.308] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.308] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.308] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.308] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\.") returned 81 [0065.308] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.308] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0065.308] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.308] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.308] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.308] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.308] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.308] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\..") returned 82 [0065.308] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.308] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.308] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0065.308] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Windows") returned -1 [0065.308] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files") returned -1 [0065.308] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files (x86)") returned -1 [0065.308] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$Recycle.bin") returned 1 [0065.308] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="System Volume Information") returned -1 [0065.308] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0065.308] StrStrIW (lpFirst="AccessMUI.msi", lpSrch=".protected") returned 0x0 [0065.308] lstrcmpW (lpString1="AccessMUI.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.308] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0065.309] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0065.309] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0065.309] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0065.309] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".txt") returned 0x0 [0065.309] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0065.309] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".rar") returned 0x0 [0065.309] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0065.309] StrStrW (lpFirst="AccessMUI.msi", lpSrch=".zip") returned 0x0 [0065.309] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0065.361] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.361] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0065.361] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.361] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0065.402] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0065.402] CloseHandle (hObject=0x1dc) returned 1 [0065.402] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.protected") returned 103 [0065.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.protected")) returned 1 [0065.403] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0065.403] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Windows") returned -1 [0065.403] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files") returned -1 [0065.403] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files (x86)") returned -1 [0065.403] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$Recycle.bin") returned 1 [0065.403] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="System Volume Information") returned -1 [0065.403] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0065.403] StrStrIW (lpFirst="AccessMUI.xml", lpSrch=".protected") returned 0x0 [0065.403] lstrcmpW (lpString1="AccessMUI.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.403] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0065.404] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0065.404] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0065.404] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0065.404] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".txt") returned 0x0 [0065.405] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0065.405] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".rar") returned 0x0 [0065.405] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0065.405] StrStrW (lpFirst="AccessMUI.xml", lpSrch=".zip") returned 0x0 [0065.405] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x545, lpOverlapped=0x0) returned 1 [0065.424] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffffabb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.425] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x545, lpOverlapped=0x0) returned 1 [0065.425] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.425] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0065.425] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0065.425] CloseHandle (hObject=0x1dc) returned 1 [0065.425] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.protected") returned 103 [0065.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.protected")) returned 1 [0065.426] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0065.426] lstrcmpiW (lpString1="AccLR.cab", lpString2="Windows") returned -1 [0065.426] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files") returned -1 [0065.426] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files (x86)") returned -1 [0065.426] lstrcmpiW (lpString1="AccLR.cab", lpString2="$Recycle.bin") returned 1 [0065.426] lstrcmpiW (lpString1="AccLR.cab", lpString2="System Volume Information") returned -1 [0065.426] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0065.426] StrStrIW (lpFirst="AccLR.cab", lpSrch=".protected") returned 0x0 [0065.426] lstrcmpW (lpString1="AccLR.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.426] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0065.426] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0065.426] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0065.426] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0065.426] StrStrW (lpFirst="AccLR.cab", lpSrch=".txt") returned 0x0 [0065.426] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0065.426] StrStrW (lpFirst="AccLR.cab", lpSrch=".rar") returned 0x0 [0065.426] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0065.426] StrStrW (lpFirst="AccLR.cab", lpSrch=".zip") returned 0x0 [0065.427] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0065.449] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.449] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0065.449] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.449] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0065.462] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0065.462] CloseHandle (hObject=0x1dc) returned 1 [0065.476] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.protected") returned 99 [0065.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.protected")) returned 1 [0065.477] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0065.477] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0065.477] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0065.477] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0065.477] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0065.477] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0065.477] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0065.477] StrStrIW (lpFirst="branding.xml", lpSrch=".protected") returned 0x0 [0065.477] lstrcmpW (lpString1="branding.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.477] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0065.477] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0065.477] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0065.478] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0065.478] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0065.478] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0065.478] StrStrW (lpFirst="branding.xml", lpSrch=".rar") returned 0x0 [0065.478] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0065.478] StrStrW (lpFirst="branding.xml", lpSrch=".zip") returned 0x0 [0065.478] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0065.575] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.575] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0065.575] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.575] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0065.595] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0065.596] CloseHandle (hObject=0x1dc) returned 1 [0065.596] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.protected") returned 102 [0065.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.protected")) returned 1 [0065.596] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0065.596] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0065.597] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 109 [0065.597] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.603] lstrlenA (lpString="EMPTY") returned 5 [0065.603] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0065.604] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0065.604] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0065.604] CloseHandle (hObject=0x1d8) returned 1 [0065.605] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.605] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Windows") returned -1 [0065.605] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files") returned -1 [0065.605] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files (x86)") returned -1 [0065.605] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$Recycle.bin") returned 1 [0065.605] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="System Volume Information") returned -1 [0065.605] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0065.605] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".protected") returned 0x0 [0065.605] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.605] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.605] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.605] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.605] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0065.605] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".txt") returned 0x0 [0065.605] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0065.605] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".rar") returned 0x0 [0065.605] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0065.605] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".zip") returned 0x0 [0065.605] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0065.621] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.621] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0065.621] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.621] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.669] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.669] CloseHandle (hObject=0x1d8) returned 1 [0065.672] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.protected") returned 93 [0065.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.protected")) returned 1 [0065.673] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.673] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Windows") returned -1 [0065.673] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files") returned -1 [0065.673] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files (x86)") returned -1 [0065.673] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$Recycle.bin") returned 1 [0065.673] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="System Volume Information") returned -1 [0065.673] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0065.673] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".protected") returned 0x0 [0065.673] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.673] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.673] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.673] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.673] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0065.673] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".txt") returned 0x0 [0065.673] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0065.673] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".rar") returned 0x0 [0065.673] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0065.673] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".zip") returned 0x0 [0065.673] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x333, lpOverlapped=0x0) returned 1 [0065.675] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.675] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x333, lpOverlapped=0x0) returned 1 [0065.675] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.675] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.675] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.675] CloseHandle (hObject=0x1d8) returned 1 [0065.675] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.protected") returned 93 [0065.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.protected")) returned 1 [0065.676] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.676] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0065.676] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0065.676] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0065.676] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0065.676] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0065.676] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.676] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0065.676] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.676] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.676] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.676] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.676] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.677] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0065.677] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.677] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0065.677] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0065.677] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0065.677] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0xa40, lpOverlapped=0x0) returned 1 [0065.684] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffff5c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.684] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0xa40, lpOverlapped=0x0) returned 1 [0065.684] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.684] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.685] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.685] CloseHandle (hObject=0x1d8) returned 1 [0065.685] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0065.685] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0065.685] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0065.685] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0065.686] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0065.686] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0065.686] lstrlenA (lpString="EMPTY") returned 5 [0065.686] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0065.687] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0065.687] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0065.687] CloseHandle (hObject=0x1d4) returned 1 [0065.687] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0065.687] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0065.687] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0065.687] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0065.687] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0065.687] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0065.687] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned 66 [0065.687] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0065.687] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0065.687] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*") returned 68 [0065.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0065.702] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.702] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.702] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.702] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.702] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.702] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.") returned 68 [0065.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.702] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0065.702] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.702] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.702] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.702] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.702] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.702] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.703] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.703] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.703] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.703] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.703] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..") returned 69 [0065.703] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.703] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0065.703] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0065.703] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.703] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.703] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.703] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.703] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0065.703] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0065.703] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0065.703] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0065.703] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0065.703] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0065.703] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".protected") returned 0x0 [0065.703] lstrcmpW (lpString1="Office32WW.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.703] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.703] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.703] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.704] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0065.704] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0065.704] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0065.704] StrStrW (lpFirst="Office32WW.msi", lpSrch=".rar") returned 0x0 [0065.704] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0065.704] StrStrW (lpFirst="Office32WW.msi", lpSrch=".zip") returned 0x0 [0065.704] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0065.737] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.737] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0065.737] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.737] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.790] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.790] CloseHandle (hObject=0x1d8) returned 1 [0065.790] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected") returned 91 [0065.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.protected")) returned 1 [0065.791] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.791] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0065.791] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0065.791] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0065.791] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0065.791] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0065.791] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0065.791] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".protected") returned 0x0 [0065.791] lstrcmpW (lpString1="Office32WW.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.791] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.791] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.791] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.792] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0065.792] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0065.792] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0065.792] StrStrW (lpFirst="Office32WW.xml", lpSrch=".rar") returned 0x0 [0065.792] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0065.792] StrStrW (lpFirst="Office32WW.xml", lpSrch=".zip") returned 0x0 [0065.792] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x10b2, lpOverlapped=0x0) returned 1 [0065.866] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.866] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x10b2, lpOverlapped=0x0) returned 1 [0065.866] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.867] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0065.867] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0065.867] CloseHandle (hObject=0x1d8) returned 1 [0065.867] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected") returned 91 [0065.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.protected")) returned 1 [0065.868] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0065.868] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0065.868] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0065.868] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0065.868] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0065.868] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0065.868] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0065.868] StrStrIW (lpFirst="ose.exe", lpSrch=".protected") returned 0x0 [0065.868] lstrcmpW (lpString1="ose.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0065.868] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0065.868] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0065.868] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0065.869] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0065.869] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0065.869] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0065.869] StrStrW (lpFirst="ose.exe", lpSrch=".rar") returned 0x0 [0065.869] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0065.869] StrStrW (lpFirst="ose.exe", lpSrch=".zip") returned 0x0 [0065.869] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.080] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.080] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.080] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.080] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.136] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.137] CloseHandle (hObject=0x1d8) returned 1 [0066.197] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.protected") returned 84 [0066.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.protected")) returned 1 [0066.197] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.197] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0066.197] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0066.197] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0066.198] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0066.198] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0066.198] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0066.198] StrStrIW (lpFirst="osetup.dll", lpSrch=".protected") returned 0x0 [0066.198] lstrcmpW (lpString1="osetup.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.198] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.198] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.198] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.199] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0066.199] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0066.199] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0066.199] StrStrW (lpFirst="osetup.dll", lpSrch=".rar") returned 0x0 [0066.199] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0066.199] StrStrW (lpFirst="osetup.dll", lpSrch=".zip") returned 0x0 [0066.199] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.247] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.247] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.309] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.309] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.329] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.329] CloseHandle (hObject=0x1d8) returned 1 [0066.330] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.protected") returned 87 [0066.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.protected")) returned 1 [0066.330] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.331] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0066.331] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0066.331] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0066.331] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0066.331] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0066.331] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0066.331] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".protected") returned 0x0 [0066.331] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.331] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.331] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.331] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.331] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0066.331] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0066.331] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0066.331] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".rar") returned 0x0 [0066.331] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0066.331] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".zip") returned 0x0 [0066.331] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.440] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.440] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.440] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.440] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.492] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.492] CloseHandle (hObject=0x1d8) returned 1 [0066.492] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected") returned 89 [0066.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.protected")) returned 1 [0066.492] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.492] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0066.492] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0066.492] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0066.492] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0066.492] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0066.492] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0066.492] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".protected") returned 0x0 [0066.493] lstrcmpW (lpString1="PidGenX.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.493] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.493] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.493] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0066.493] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0066.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0066.493] StrStrW (lpFirst="PidGenX.dll", lpSrch=".rar") returned 0x0 [0066.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0066.493] StrStrW (lpFirst="PidGenX.dll", lpSrch=".zip") returned 0x0 [0066.493] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.502] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.502] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.502] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.502] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.542] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.542] CloseHandle (hObject=0x1d8) returned 1 [0066.542] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected") returned 88 [0066.542] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.protected")) returned 1 [0066.543] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.543] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0066.543] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0066.543] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0066.543] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0066.543] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0066.543] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0066.543] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".protected") returned 0x0 [0066.543] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.543] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.543] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.543] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0066.543] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0066.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0066.543] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".rar") returned 0x0 [0066.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0066.543] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".zip") returned 0x0 [0066.543] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.597] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.597] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.597] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.597] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.632] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.632] CloseHandle (hObject=0x1d8) returned 1 [0066.632] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected") returned 101 [0066.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.protected")) returned 1 [0066.633] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.633] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Windows") returned -1 [0066.633] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files") returned 1 [0066.633] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files (x86)") returned 1 [0066.633] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$Recycle.bin") returned 1 [0066.633] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="System Volume Information") returned -1 [0066.633] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0066.633] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".protected") returned 0x0 [0066.633] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.633] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.633] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.633] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.636] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0066.636] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".txt") returned 0x0 [0066.636] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0066.636] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".rar") returned 0x0 [0066.636] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0066.636] StrStrW (lpFirst="ProPlusrWW.msi", lpSrch=".zip") returned 0x0 [0066.636] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.699] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.700] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.700] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.700] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.727] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.727] CloseHandle (hObject=0x1d8) returned 1 [0066.732] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.protected") returned 91 [0066.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.protected")) returned 1 [0066.733] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.733] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Windows") returned -1 [0066.733] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files") returned 1 [0066.733] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files (x86)") returned 1 [0066.733] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$Recycle.bin") returned 1 [0066.733] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="System Volume Information") returned -1 [0066.734] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0066.734] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".protected") returned 0x0 [0066.734] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.734] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.734] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.734] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.734] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0066.734] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".txt") returned 0x0 [0066.734] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0066.734] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".rar") returned 0x0 [0066.734] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0066.734] StrStrW (lpFirst="ProPlusrWW.xml", lpSrch=".zip") returned 0x0 [0066.734] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.767] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.767] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.767] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.767] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.825] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.825] CloseHandle (hObject=0x1d8) returned 1 [0066.826] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.protected") returned 91 [0066.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.protected")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.826] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Windows") returned -1 [0066.826] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files") returned 1 [0066.826] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files (x86)") returned 1 [0066.826] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$Recycle.bin") returned 1 [0066.826] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="System Volume Information") returned -1 [0066.826] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0066.826] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".protected") returned 0x0 [0066.826] lstrcmpW (lpString1="ProPrWW.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.826] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.826] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.826] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.830] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0066.830] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".txt") returned 0x0 [0066.830] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0066.830] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".rar") returned 0x0 [0066.830] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0066.830] StrStrW (lpFirst="ProPrWW.cab", lpSrch=".zip") returned 0x0 [0066.830] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.833] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.833] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.833] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.833] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.849] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.850] CloseHandle (hObject=0x1d8) returned 1 [0066.850] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.protected") returned 88 [0066.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.protected")) returned 1 [0066.850] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.850] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Windows") returned -1 [0066.850] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files") returned 1 [0066.850] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files (x86)") returned 1 [0066.850] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$Recycle.bin") returned 1 [0066.850] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="System Volume Information") returned -1 [0066.850] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0066.851] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".protected") returned 0x0 [0066.851] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.851] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.851] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.851] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.851] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0066.851] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".txt") returned 0x0 [0066.851] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0066.851] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".rar") returned 0x0 [0066.851] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0066.851] StrStrW (lpFirst="ProPrWW2.cab", lpSrch=".zip") returned 0x0 [0066.852] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.907] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.907] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.907] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.907] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.937] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.937] CloseHandle (hObject=0x1d8) returned 1 [0066.943] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.protected") returned 89 [0066.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.protected")) returned 1 [0066.944] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.944] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0066.944] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0066.944] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0066.944] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0066.944] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0066.944] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0066.944] StrStrIW (lpFirst="setup.exe", lpSrch=".protected") returned 0x0 [0066.944] lstrcmpW (lpString1="setup.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.944] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.944] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.944] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.944] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0066.944] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0066.944] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0066.944] StrStrW (lpFirst="setup.exe", lpSrch=".rar") returned 0x0 [0066.944] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0066.944] StrStrW (lpFirst="setup.exe", lpSrch=".zip") returned 0x0 [0066.944] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.959] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.959] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.959] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.959] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0066.965] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0066.965] CloseHandle (hObject=0x1d8) returned 1 [0066.965] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.protected") returned 86 [0066.965] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.protected")) returned 1 [0066.966] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0066.966] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0066.966] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0066.966] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0066.966] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0066.966] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0066.966] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0066.966] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0066.966] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0066.966] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0066.966] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0066.966] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0066.966] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0066.966] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0066.966] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0066.966] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0066.966] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0066.966] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0066.966] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.989] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.989] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0066.990] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.990] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.000] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.000] CloseHandle (hObject=0x1d8) returned 1 [0067.000] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0067.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0067.001] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0067.001] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0067.001] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0067.001] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0067.001] lstrlenA (lpString="EMPTY") returned 5 [0067.001] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0067.002] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0067.002] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0067.002] CloseHandle (hObject=0x1d4) returned 1 [0067.003] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0067.003] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0067.003] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0067.003] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0067.003] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0067.003] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0067.003] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned 66 [0067.003] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0067.003] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0067.003] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*") returned 68 [0067.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0067.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.026] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.026] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.026] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.") returned 68 [0067.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.026] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0067.026] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0067.026] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.026] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.026] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.026] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.026] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.026] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.026] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.026] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.026] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.026] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..") returned 69 [0067.026] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.026] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0067.026] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0067.026] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.026] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.026] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.026] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.026] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0067.026] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0067.027] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0067.027] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0067.027] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0067.027] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.027] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".protected") returned 0x0 [0067.027] lstrcmpW (lpString1="Office32WW.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.027] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.027] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.027] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.027] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.028] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0067.028] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.028] StrStrW (lpFirst="Office32WW.msi", lpSrch=".rar") returned 0x0 [0067.028] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.028] StrStrW (lpFirst="Office32WW.msi", lpSrch=".zip") returned 0x0 [0067.028] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.056] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.056] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.057] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.057] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.093] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.093] CloseHandle (hObject=0x1d8) returned 1 [0067.106] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected") returned 91 [0067.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.protected")) returned 1 [0067.106] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.106] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0067.106] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0067.106] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0067.106] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0067.106] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0067.107] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.107] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".protected") returned 0x0 [0067.107] lstrcmpW (lpString1="Office32WW.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.107] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.107] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.107] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.107] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.107] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0067.107] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.107] StrStrW (lpFirst="Office32WW.xml", lpSrch=".rar") returned 0x0 [0067.107] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.107] StrStrW (lpFirst="Office32WW.xml", lpSrch=".zip") returned 0x0 [0067.107] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x10b2, lpOverlapped=0x0) returned 1 [0067.120] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.120] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x10b2, lpOverlapped=0x0) returned 1 [0067.120] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.120] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.120] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.120] CloseHandle (hObject=0x1d8) returned 1 [0067.121] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected") returned 91 [0067.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.protected")) returned 1 [0067.121] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.121] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0067.121] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0067.121] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0067.121] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0067.121] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0067.122] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0067.122] StrStrIW (lpFirst="ose.exe", lpSrch=".protected") returned 0x0 [0067.122] lstrcmpW (lpString1="ose.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.122] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.122] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.122] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.122] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0067.122] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0067.122] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0067.122] StrStrW (lpFirst="ose.exe", lpSrch=".rar") returned 0x0 [0067.122] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0067.122] StrStrW (lpFirst="ose.exe", lpSrch=".zip") returned 0x0 [0067.122] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.171] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.171] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.171] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.171] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.221] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.221] CloseHandle (hObject=0x1d8) returned 1 [0067.221] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.protected") returned 84 [0067.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.protected")) returned 1 [0067.222] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.222] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0067.222] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0067.222] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0067.222] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0067.222] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0067.222] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0067.222] StrStrIW (lpFirst="osetup.dll", lpSrch=".protected") returned 0x0 [0067.222] lstrcmpW (lpString1="osetup.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.222] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.223] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.223] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.223] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0067.223] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0067.223] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0067.223] StrStrW (lpFirst="osetup.dll", lpSrch=".rar") returned 0x0 [0067.223] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0067.223] StrStrW (lpFirst="osetup.dll", lpSrch=".zip") returned 0x0 [0067.223] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.244] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.244] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.244] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.244] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.245] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.245] CloseHandle (hObject=0x1d8) returned 1 [0067.271] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.protected") returned 87 [0067.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.protected")) returned 1 [0067.271] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.271] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0067.271] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0067.271] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0067.271] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0067.271] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0067.271] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0067.272] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".protected") returned 0x0 [0067.272] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.272] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.272] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.272] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.272] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0067.273] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0067.273] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0067.273] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".rar") returned 0x0 [0067.273] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0067.273] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".zip") returned 0x0 [0067.273] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.351] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.351] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.361] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.361] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.426] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.426] CloseHandle (hObject=0x1d8) returned 1 [0067.426] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected") returned 89 [0067.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.protected")) returned 1 [0067.427] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.427] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0067.427] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0067.427] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0067.427] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0067.427] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0067.427] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0067.427] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".protected") returned 0x0 [0067.427] lstrcmpW (lpString1="PidGenX.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.427] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.427] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.427] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.428] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0067.428] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0067.428] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0067.428] StrStrW (lpFirst="PidGenX.dll", lpSrch=".rar") returned 0x0 [0067.428] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0067.428] StrStrW (lpFirst="PidGenX.dll", lpSrch=".zip") returned 0x0 [0067.428] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.447] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.447] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.448] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.448] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.461] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.461] CloseHandle (hObject=0x1d8) returned 1 [0067.461] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected") returned 88 [0067.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.protected")) returned 1 [0067.462] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.462] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0067.462] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0067.462] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0067.462] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0067.462] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0067.462] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0067.462] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".protected") returned 0x0 [0067.462] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.462] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.462] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.462] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0067.463] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0067.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0067.463] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".rar") returned 0x0 [0067.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0067.463] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".zip") returned 0x0 [0067.463] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.544] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.544] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.544] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.545] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.565] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.565] CloseHandle (hObject=0x1d8) returned 1 [0067.566] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected") returned 101 [0067.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.protected")) returned 1 [0067.566] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.566] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Windows") returned -1 [0067.566] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files") returned -1 [0067.566] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files (x86)") returned -1 [0067.566] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$Recycle.bin") returned 1 [0067.566] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="System Volume Information") returned -1 [0067.566] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0067.566] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".protected") returned 0x0 [0067.567] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.567] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.567] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.567] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.567] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0067.567] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".txt") returned 0x0 [0067.567] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0067.567] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".rar") returned 0x0 [0067.568] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0067.568] StrStrW (lpFirst="PrjProrWW.msi", lpSrch=".zip") returned 0x0 [0067.568] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.569] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.569] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.569] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.569] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.650] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.650] CloseHandle (hObject=0x1d8) returned 1 [0067.650] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.protected") returned 90 [0067.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.protected")) returned 1 [0067.651] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.651] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Windows") returned -1 [0067.651] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files") returned -1 [0067.651] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files (x86)") returned -1 [0067.651] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$Recycle.bin") returned 1 [0067.651] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="System Volume Information") returned -1 [0067.651] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0067.651] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".protected") returned 0x0 [0067.651] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.651] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.651] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.651] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.652] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0067.652] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".txt") returned 0x0 [0067.652] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0067.652] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".rar") returned 0x0 [0067.652] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0067.652] StrStrW (lpFirst="PrjProrWW.xml", lpSrch=".zip") returned 0x0 [0067.652] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x1915, lpOverlapped=0x0) returned 1 [0067.702] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffe6eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.702] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x1915, lpOverlapped=0x0) returned 1 [0067.702] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.702] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.702] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.702] CloseHandle (hObject=0x1d8) returned 1 [0067.703] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.protected") returned 90 [0067.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.protected")) returned 1 [0067.706] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.706] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Windows") returned -1 [0067.706] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files") returned -1 [0067.706] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files (x86)") returned -1 [0067.706] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$Recycle.bin") returned 1 [0067.706] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="System Volume Information") returned -1 [0067.706] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0067.706] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".protected") returned 0x0 [0067.706] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.706] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.706] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.706] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.706] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0067.706] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".txt") returned 0x0 [0067.707] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0067.707] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".rar") returned 0x0 [0067.707] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0067.707] StrStrW (lpFirst="PrjPrrWW.cab", lpSrch=".zip") returned 0x0 [0067.707] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.748] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.748] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.748] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.748] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.773] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.773] CloseHandle (hObject=0x1d8) returned 1 [0067.799] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.protected") returned 89 [0067.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.protected")) returned 1 [0067.799] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.799] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0067.799] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0067.799] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0067.800] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0067.800] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0067.800] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0067.800] StrStrIW (lpFirst="setup.exe", lpSrch=".protected") returned 0x0 [0067.800] lstrcmpW (lpString1="setup.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.800] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.800] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.800] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.800] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0067.800] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0067.800] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0067.800] StrStrW (lpFirst="setup.exe", lpSrch=".rar") returned 0x0 [0067.800] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0067.800] StrStrW (lpFirst="setup.exe", lpSrch=".zip") returned 0x0 [0067.800] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.824] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.824] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.824] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.824] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.858] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.858] CloseHandle (hObject=0x1d8) returned 1 [0067.858] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.protected") returned 86 [0067.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.protected")) returned 1 [0067.859] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.859] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0067.859] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0067.859] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0067.859] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0067.859] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0067.859] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.859] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0067.859] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.859] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.859] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.859] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.859] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.859] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0067.859] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.859] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0067.859] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.859] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0067.859] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.878] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.878] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.878] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.878] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.879] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.880] CloseHandle (hObject=0x1d8) returned 1 [0067.881] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0067.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0067.881] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0067.881] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0067.882] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0067.882] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0067.882] lstrlenA (lpString="EMPTY") returned 5 [0067.882] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0067.883] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0067.883] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0067.883] CloseHandle (hObject=0x1d4) returned 1 [0067.883] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0067.883] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0067.883] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0067.883] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0067.883] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0067.883] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0067.883] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned 66 [0067.883] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0067.883] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0067.883] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*") returned 68 [0067.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0067.894] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.894] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.894] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.894] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.894] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.894] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.") returned 68 [0067.894] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.894] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0067.894] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0067.894] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.894] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.894] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.894] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.894] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.894] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.894] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.894] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.894] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.894] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..") returned 69 [0067.894] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.895] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.895] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0067.895] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0067.895] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.895] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.895] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0067.895] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.895] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0067.895] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0067.895] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0067.895] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0067.895] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0067.895] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.895] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".protected") returned 0x0 [0067.895] lstrcmpW (lpString1="Office32WW.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.895] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.895] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.895] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.895] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.895] StrStrW (lpFirst="Office32WW.msi", lpSrch=".txt") returned 0x0 [0067.896] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.896] StrStrW (lpFirst="Office32WW.msi", lpSrch=".rar") returned 0x0 [0067.896] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0067.896] StrStrW (lpFirst="Office32WW.msi", lpSrch=".zip") returned 0x0 [0067.896] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.935] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.936] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0067.936] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.936] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0067.939] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0067.939] CloseHandle (hObject=0x1d8) returned 1 [0067.940] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected") returned 91 [0067.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.protected")) returned 1 [0067.940] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0067.940] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0067.940] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0067.940] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0067.940] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0067.940] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0067.940] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.940] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".protected") returned 0x0 [0067.940] lstrcmpW (lpString1="Office32WW.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0067.940] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0067.941] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0067.941] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0067.941] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.941] StrStrW (lpFirst="Office32WW.xml", lpSrch=".txt") returned 0x0 [0067.941] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.941] StrStrW (lpFirst="Office32WW.xml", lpSrch=".rar") returned 0x0 [0067.941] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0067.941] StrStrW (lpFirst="Office32WW.xml", lpSrch=".zip") returned 0x0 [0067.941] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x10b2, lpOverlapped=0x0) returned 1 [0068.009] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.009] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x10b2, lpOverlapped=0x0) returned 1 [0068.009] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.009] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.009] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.009] CloseHandle (hObject=0x1d8) returned 1 [0068.010] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected") returned 91 [0068.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.protected")) returned 1 [0068.010] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.010] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0068.010] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0068.010] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0068.010] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0068.010] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0068.010] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0068.010] StrStrIW (lpFirst="ose.exe", lpSrch=".protected") returned 0x0 [0068.010] lstrcmpW (lpString1="ose.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.010] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.010] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.011] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.011] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0068.011] StrStrW (lpFirst="ose.exe", lpSrch=".txt") returned 0x0 [0068.011] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0068.011] StrStrW (lpFirst="ose.exe", lpSrch=".rar") returned 0x0 [0068.011] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0068.012] StrStrW (lpFirst="ose.exe", lpSrch=".zip") returned 0x0 [0068.012] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.156] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.156] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.157] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.157] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.207] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.207] CloseHandle (hObject=0x1d8) returned 1 [0068.207] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.protected") returned 84 [0068.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.protected")) returned 1 [0068.208] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.208] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0068.208] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0068.208] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0068.208] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0068.208] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0068.208] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0068.208] StrStrIW (lpFirst="osetup.dll", lpSrch=".protected") returned 0x0 [0068.208] lstrcmpW (lpString1="osetup.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.208] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.208] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.208] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.208] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0068.208] StrStrW (lpFirst="osetup.dll", lpSrch=".txt") returned 0x0 [0068.208] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0068.208] StrStrW (lpFirst="osetup.dll", lpSrch=".rar") returned 0x0 [0068.208] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0068.208] StrStrW (lpFirst="osetup.dll", lpSrch=".zip") returned 0x0 [0068.208] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.236] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.236] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.236] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.236] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.253] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.253] CloseHandle (hObject=0x1d8) returned 1 [0068.259] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.protected") returned 87 [0068.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.protected")) returned 1 [0068.260] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.260] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0068.260] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0068.260] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0068.260] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0068.260] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0068.260] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0068.260] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".protected") returned 0x0 [0068.260] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.260] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.260] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.260] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.260] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0068.260] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".txt") returned 0x0 [0068.260] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0068.260] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".rar") returned 0x0 [0068.260] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0068.260] StrStrW (lpFirst="OWOW32WW.cab", lpSrch=".zip") returned 0x0 [0068.260] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.290] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.290] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.290] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.290] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.309] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.309] CloseHandle (hObject=0x1d8) returned 1 [0068.309] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected") returned 89 [0068.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.protected")) returned 1 [0068.310] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.310] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0068.310] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0068.310] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0068.310] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0068.310] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0068.310] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0068.310] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".protected") returned 0x0 [0068.310] lstrcmpW (lpString1="PidGenX.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.310] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.310] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.310] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.310] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0068.310] StrStrW (lpFirst="PidGenX.dll", lpSrch=".txt") returned 0x0 [0068.311] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0068.311] StrStrW (lpFirst="PidGenX.dll", lpSrch=".rar") returned 0x0 [0068.311] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0068.311] StrStrW (lpFirst="PidGenX.dll", lpSrch=".zip") returned 0x0 [0068.311] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.312] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.312] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.312] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.312] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.366] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.367] CloseHandle (hObject=0x1d8) returned 1 [0068.367] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected") returned 88 [0068.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.protected")) returned 1 [0068.367] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.367] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0068.367] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0068.367] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0068.367] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0068.367] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0068.367] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.367] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".protected") returned 0x0 [0068.367] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.367] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.368] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.368] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.368] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.368] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".txt") returned 0x0 [0068.368] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.368] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".rar") returned 0x0 [0068.368] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.368] StrStrW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".zip") returned 0x0 [0068.368] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.383] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.383] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.383] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.384] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.483] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.483] CloseHandle (hObject=0x1d8) returned 1 [0068.493] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected") returned 101 [0068.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.protected")) returned 1 [0068.493] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.493] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0068.493] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0068.493] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0068.493] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0068.493] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0068.493] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0068.493] StrStrIW (lpFirst="setup.exe", lpSrch=".protected") returned 0x0 [0068.493] lstrcmpW (lpString1="setup.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.494] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.494] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.494] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.494] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0068.495] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0068.495] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0068.495] StrStrW (lpFirst="setup.exe", lpSrch=".rar") returned 0x0 [0068.495] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0068.495] StrStrW (lpFirst="setup.exe", lpSrch=".zip") returned 0x0 [0068.495] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.516] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.516] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.538] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.538] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.575] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.575] CloseHandle (hObject=0x1d8) returned 1 [0068.575] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.protected") returned 86 [0068.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.protected")) returned 1 [0068.576] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.576] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0068.576] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0068.576] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0068.576] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0068.576] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0068.576] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.576] StrStrIW (lpFirst="Setup.xml", lpSrch=".protected") returned 0x0 [0068.576] lstrcmpW (lpString1="Setup.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.576] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.576] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.576] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.576] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.576] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0068.577] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.577] StrStrW (lpFirst="Setup.xml", lpSrch=".rar") returned 0x0 [0068.577] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.577] StrStrW (lpFirst="Setup.xml", lpSrch=".zip") returned 0x0 [0068.577] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.673] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.673] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.673] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.673] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.675] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.675] CloseHandle (hObject=0x1d8) returned 1 [0068.675] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.protected") returned 86 [0068.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.protected")) returned 1 [0068.676] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.676] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Windows") returned -1 [0068.676] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files") returned 1 [0068.676] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files (x86)") returned 1 [0068.676] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$Recycle.bin") returned 1 [0068.676] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="System Volume Information") returned 1 [0068.676] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0068.676] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".protected") returned 0x0 [0068.676] lstrcmpW (lpString1="VisiorWW.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.676] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.676] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.676] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.677] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0068.677] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".txt") returned 0x0 [0068.677] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0068.677] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".rar") returned 0x0 [0068.677] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0068.677] StrStrW (lpFirst="VisiorWW.cab", lpSrch=".zip") returned 0x0 [0068.677] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.717] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.717] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.717] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.717] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.751] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.751] CloseHandle (hObject=0x1d8) returned 1 [0068.761] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.protected") returned 89 [0068.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.protected")) returned 1 [0068.761] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.761] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Windows") returned -1 [0068.761] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files") returned 1 [0068.761] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files (x86)") returned 1 [0068.761] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$Recycle.bin") returned 1 [0068.761] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="System Volume Information") returned 1 [0068.761] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0068.761] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".protected") returned 0x0 [0068.762] lstrcmpW (lpString1="VisiorWW.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.762] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.762] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.762] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.762] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0068.762] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".txt") returned 0x0 [0068.762] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0068.762] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".rar") returned 0x0 [0068.762] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0068.762] StrStrW (lpFirst="VisiorWW.msi", lpSrch=".zip") returned 0x0 [0068.762] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.795] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.795] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0068.795] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.795] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.820] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.820] CloseHandle (hObject=0x1d8) returned 1 [0068.825] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.protected") returned 89 [0068.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.protected")) returned 1 [0068.825] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.825] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Windows") returned -1 [0068.825] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files") returned 1 [0068.825] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files (x86)") returned 1 [0068.826] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$Recycle.bin") returned 1 [0068.826] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="System Volume Information") returned 1 [0068.826] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0068.826] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".protected") returned 0x0 [0068.826] lstrcmpW (lpString1="VisiorWW.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.826] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0068.826] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0068.826] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.826] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0068.826] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".txt") returned 0x0 [0068.826] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0068.826] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".rar") returned 0x0 [0068.826] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0068.826] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".zip") returned 0x0 [0068.826] ReadFile (in: hFile=0x1d8, lpBuffer=0x5b7640, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesRead=0x2eee78*=0x2213, lpOverlapped=0x0) returned 1 [0068.848] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.848] WriteFile (in: hFile=0x1d8, lpBuffer=0x5b7640*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5b7640*, lpNumberOfBytesWritten=0x2eee78*=0x2213, lpOverlapped=0x0) returned 1 [0068.848] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.848] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0068.848] WriteFile (in: hFile=0x1d8, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0068.848] CloseHandle (hObject=0x1d8) returned 1 [0068.849] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.protected") returned 89 [0068.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.protected" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.protected")) returned 1 [0068.849] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0068.849] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0068.849] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0068.849] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0068.850] lstrlenA (lpString="EMPTY") returned 5 [0068.850] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0068.850] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.850] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0068.893] CloseHandle (hObject=0x1d4) returned 1 [0068.893] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0068.893] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0068.895] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 55 [0068.895] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\all users\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0068.895] lstrlenA (lpString="EMPTY") returned 5 [0068.895] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0068.896] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.896] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0068.896] CloseHandle (hObject=0x1d0) returned 1 [0068.896] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0 [0068.896] FindClose (in: hFindFile=0x5572f0 | out: hFindFile=0x5572f0) returned 1 [0068.896] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 45 [0068.896] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\msocache\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0068.896] lstrlenA (lpString="EMPTY") returned 5 [0068.897] WriteFile (in: hFile=0x1cc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef474*=0x5, lpOverlapped=0x0) returned 1 [0068.897] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.897] WriteFile (in: hFile=0x1cc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef474*=0x2ac, lpOverlapped=0x0) returned 1 [0068.897] CloseHandle (hObject=0x1cc) returned 1 [0068.898] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0068.898] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0068.898] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files") returned -1 [0068.898] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files (x86)") returned -1 [0068.898] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0068.898] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0068.898] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0068.898] StrStrIW (lpFirst="pagefile.sys", lpSrch=".protected") returned 0x0 [0068.898] lstrcmpW (lpString1="pagefile.sys", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0068.898] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef790 | out: pbBuffer=0x2ef790) returned 1 [0068.898] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef784*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef784*=0x30) returned 1 [0068.898] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.898] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0068.898] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0068.898] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files") returned -1 [0068.898] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files (x86)") returned -1 [0068.898] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0068.898] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0068.898] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0068.898] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0068.898] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0068.898] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0068.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0068.899] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.899] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.899] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.899] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.899] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.899] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0068.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.899] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0068.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.899] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.899] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.899] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.899] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.899] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0068.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.899] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0068.899] lstrcmpiW (lpString1="Admin", lpString2="Windows") returned -1 [0068.899] lstrcmpiW (lpString1="Admin", lpString2="Program Files") returned -1 [0068.899] lstrcmpiW (lpString1="Admin", lpString2="Program Files (x86)") returned -1 [0068.899] lstrcmpiW (lpString1="Admin", lpString2="$Recycle.bin") returned 1 [0068.899] lstrcmpiW (lpString1="Admin", lpString2="System Volume Information") returned -1 [0068.899] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0068.899] lstrcmpW (lpString1="Admin", lpString2=".") returned 1 [0068.899] lstrcmpW (lpString1="Admin", lpString2="..") returned 1 [0068.899] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\*") returned 23 [0068.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0068.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.900] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\.") returned 23 [0068.900] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.900] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0068.900] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.900] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.900] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.900] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.900] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.900] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\..") returned 24 [0068.900] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.900] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0068.900] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0068.901] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 51 [0068.901] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\perflogs\\admin\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0068.901] lstrlenA (lpString="EMPTY") returned 5 [0068.901] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0068.902] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.902] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0068.902] CloseHandle (hObject=0x1d0) returned 1 [0068.902] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0 [0068.902] FindClose (in: hFindFile=0x5572f0 | out: hFindFile=0x5572f0) returned 1 [0068.902] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 45 [0068.902] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\perflogs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0068.903] lstrlenA (lpString="EMPTY") returned 5 [0068.903] WriteFile (in: hFile=0x1cc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef474*=0x5, lpOverlapped=0x0) returned 1 [0068.903] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.903] WriteFile (in: hFile=0x1cc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef474*=0x2ac, lpOverlapped=0x0) returned 1 [0068.904] CloseHandle (hObject=0x1cc) returned 1 [0068.904] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0068.904] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0068.904] lstrcmpiW (lpString1="Program Files", lpString2="Program Files") returned 0 [0068.904] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0068.904] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Windows") returned -1 [0068.904] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files") returned 1 [0068.904] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files (x86)") returned 0 [0068.904] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0068.904] lstrcmpiW (lpString1="ProgramData", lpString2="Windows") returned -1 [0068.904] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files") returned 1 [0068.904] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files (x86)") returned 1 [0068.904] lstrcmpiW (lpString1="ProgramData", lpString2="$Recycle.bin") returned 1 [0068.904] lstrcmpiW (lpString1="ProgramData", lpString2="System Volume Information") returned -1 [0068.904] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0068.904] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0068.904] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0068.904] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\*") returned 20 [0068.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0068.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.904] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.904] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.905] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.905] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.905] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\.") returned 20 [0068.905] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.905] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0068.905] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0068.905] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0068.905] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0068.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\." (normalized: "c:\\programdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.905] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0068.905] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.905] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.905] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.905] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.905] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.905] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\..") returned 21 [0068.905] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.905] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.905] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0068.905] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0068.905] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0068.905] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0068.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0068.905] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0068.906] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0068.906] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0068.906] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0068.906] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0068.906] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0068.906] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe") returned 24 [0068.906] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0068.906] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0068.906] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\*") returned 26 [0068.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0068.906] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.906] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.906] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.906] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.906] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.906] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\.") returned 26 [0068.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.906] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0068.906] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.906] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.906] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.906] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.906] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.906] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\..") returned 27 [0068.906] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.906] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.907] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0068.907] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0068.907] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0068.907] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0068.907] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0068.907] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0068.907] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat") returned 32 [0068.907] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0068.907] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0068.907] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*") returned 34 [0068.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0068.908] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.908] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.908] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.908] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.908] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.908] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\.") returned 34 [0068.908] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.908] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.908] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.908] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.908] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.908] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.908] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.908] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\..") returned 35 [0068.908] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.908] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.908] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.908] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0068.908] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0068.908] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0068.908] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0068.908] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0068.908] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0") returned 37 [0068.908] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0068.908] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0068.909] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*") returned 39 [0068.909] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0068.909] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.909] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.909] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.909] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.909] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.909] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\.") returned 39 [0068.909] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.909] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0068.909] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.909] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.909] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.909] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.909] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.909] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\..") returned 40 [0068.909] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.909] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0068.909] lstrcmpiW (lpString1="Replicate", lpString2="Windows") returned -1 [0068.909] lstrcmpiW (lpString1="Replicate", lpString2="Program Files") returned 1 [0068.909] lstrcmpiW (lpString1="Replicate", lpString2="Program Files (x86)") returned 1 [0068.909] lstrcmpiW (lpString1="Replicate", lpString2="$Recycle.bin") returned 1 [0068.909] lstrcmpiW (lpString1="Replicate", lpString2="System Volume Information") returned -1 [0068.909] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate") returned 47 [0068.909] lstrcmpW (lpString1="Replicate", lpString2=".") returned 1 [0068.910] lstrcmpW (lpString1="Replicate", lpString2="..") returned 1 [0068.910] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*") returned 49 [0068.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0068.931] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.931] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.931] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.931] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.931] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.931] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\.") returned 49 [0068.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.931] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0068.931] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.931] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.931] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.931] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.931] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.931] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\..") returned 50 [0068.931] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.931] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0068.931] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0068.931] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0068.931] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0068.931] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0068.931] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0068.931] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned 56 [0068.931] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0068.932] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0068.932] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*") returned 58 [0068.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0068.932] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.932] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.932] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.932] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.932] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.932] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\.") returned 58 [0068.932] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.932] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0068.932] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.932] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.932] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.932] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.932] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.932] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\..") returned 59 [0068.933] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.933] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0068.933] lstrcmpiW (lpString1="directories.acrodata", lpString2="Windows") returned -1 [0068.933] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files") returned -1 [0068.933] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files (x86)") returned -1 [0068.933] lstrcmpiW (lpString1="directories.acrodata", lpString2="$Recycle.bin") returned 1 [0068.933] lstrcmpiW (lpString1="directories.acrodata", lpString2="System Volume Information") returned -1 [0068.933] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0068.933] StrStrIW (lpFirst="directories.acrodata", lpSrch=".protected") returned 0x0 [0068.933] lstrcmpW (lpString1="directories.acrodata", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0068.933] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0068.933] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0068.933] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0068.933] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0068.933] StrStrW (lpFirst="directories.acrodata", lpSrch=".txt") returned 0x0 [0068.933] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0068.933] StrStrW (lpFirst="directories.acrodata", lpSrch=".rar") returned 0x0 [0068.933] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0068.933] StrStrW (lpFirst="directories.acrodata", lpSrch=".zip") returned 0x0 [0068.933] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x1df, lpOverlapped=0x0) returned 1 [0068.934] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffffe21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.934] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x1df, lpOverlapped=0x0) returned 1 [0068.934] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.934] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0068.935] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0068.935] CloseHandle (hObject=0x1e4) returned 1 [0068.935] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.protected") returned 87 [0068.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.protected" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.protected")) returned 1 [0068.936] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0068.936] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0068.936] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 86 [0068.936] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0068.936] lstrlenA (lpString="EMPTY") returned 5 [0068.936] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0068.937] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.937] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0068.937] CloseHandle (hObject=0x1e0) returned 1 [0068.937] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0068.937] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0068.937] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 77 [0068.937] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0068.938] lstrlenA (lpString="EMPTY") returned 5 [0068.938] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0068.939] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.939] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0068.939] CloseHandle (hObject=0x1dc) returned 1 [0068.939] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0068.939] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0068.939] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 67 [0068.939] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0068.939] lstrlenA (lpString="EMPTY") returned 5 [0068.939] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0068.940] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.940] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0068.940] CloseHandle (hObject=0x1d8) returned 1 [0068.940] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0068.940] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0068.941] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 62 [0068.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0068.941] lstrlenA (lpString="EMPTY") returned 5 [0068.941] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0068.942] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0068.942] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0068.942] CloseHandle (hObject=0x1d4) returned 1 [0068.943] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0068.943] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0068.943] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0068.943] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0068.943] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0068.943] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0068.943] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned 28 [0068.943] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0068.943] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0068.943] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*") returned 30 [0068.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0068.943] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.943] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.943] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.943] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.943] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.943] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\.") returned 30 [0068.943] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.943] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.943] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.943] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.943] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.943] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.944] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.944] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\..") returned 31 [0068.944] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.944] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.944] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0068.944] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Windows") returned -1 [0068.944] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files") returned 1 [0068.944] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files (x86)") returned 1 [0068.944] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$Recycle.bin") returned 1 [0068.944] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="System Volume Information") returned -1 [0068.944] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0") returned 42 [0068.944] lstrcmpW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0068.944] lstrcmpW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0068.944] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*") returned 44 [0068.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0068.964] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0068.964] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0068.964] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0068.964] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0068.964] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0068.964] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\.") returned 44 [0068.964] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0068.964] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0068.964] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0068.964] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0068.964] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0068.964] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0068.964] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0068.964] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\..") returned 45 [0068.964] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0068.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0068.964] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0068.964] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Windows") returned -1 [0068.964] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files") returned -1 [0068.964] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files (x86)") returned -1 [0068.964] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="$Recycle.bin") returned 1 [0068.964] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="System Volume Information") returned -1 [0068.965] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0068.965] StrStrIW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".protected") returned 0x0 [0068.965] lstrcmpW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0068.965] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0068.965] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0068.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0068.966] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0068.966] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".txt") returned 0x0 [0068.966] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0068.966] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".rar") returned 0x0 [0068.966] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0068.966] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".zip") returned 0x0 [0068.966] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0068.968] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.968] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0068.968] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.968] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0068.969] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0068.969] CloseHandle (hObject=0x1dc) returned 1 [0068.969] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.protected") returned 75 [0068.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.protected" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.protected")) returned 1 [0068.970] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0068.970] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Windows") returned -1 [0068.970] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files") returned -1 [0068.970] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files (x86)") returned -1 [0068.970] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="$Recycle.bin") returned 1 [0068.970] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="System Volume Information") returned -1 [0068.970] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0068.970] StrStrIW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".protected") returned 0x0 [0068.970] lstrcmpW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0068.970] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0068.970] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0068.970] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0068.970] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0068.970] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".txt") returned 0x0 [0068.970] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0068.970] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".rar") returned 0x0 [0068.970] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0068.970] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".zip") returned 0x0 [0068.970] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0069.008] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.008] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0069.008] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.008] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0069.009] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0069.009] CloseHandle (hObject=0x1dc) returned 1 [0069.025] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.protected") returned 76 [0069.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.protected" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.protected")) returned 1 [0069.026] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.026] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Windows") returned -1 [0069.026] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files") returned -1 [0069.026] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files (x86)") returned -1 [0069.026] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="$Recycle.bin") returned 1 [0069.026] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="System Volume Information") returned -1 [0069.026] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0069.026] StrStrIW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".protected") returned 0x0 [0069.026] lstrcmpW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.026] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0069.026] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0069.026] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.026] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0069.026] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".txt") returned 0x0 [0069.026] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0069.026] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".rar") returned 0x0 [0069.026] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0069.026] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".zip") returned 0x0 [0069.026] ReadFile (in: hFile=0x1dc, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0069.044] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.044] WriteFile (in: hFile=0x1dc, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0069.044] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.044] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0069.045] WriteFile (in: hFile=0x1dc, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0069.045] CloseHandle (hObject=0x1dc) returned 1 [0069.046] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.protected") returned 76 [0069.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.protected" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.protected")) returned 1 [0069.046] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.046] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.046] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 72 [0069.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.047] lstrlenA (lpString="EMPTY") returned 5 [0069.047] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.047] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.047] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.048] CloseHandle (hObject=0x1d8) returned 1 [0069.048] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.048] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.048] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 58 [0069.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\arm\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.049] lstrlenA (lpString="EMPTY") returned 5 [0069.049] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.050] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.050] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.050] CloseHandle (hObject=0x1d4) returned 1 [0069.050] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0069.050] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0069.052] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 54 [0069.052] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\adobe\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0069.052] lstrlenA (lpString="EMPTY") returned 5 [0069.052] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0069.053] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.053] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.053] CloseHandle (hObject=0x1d0) returned 1 [0069.053] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0069.053] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0069.053] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0069.053] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0069.053] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0069.053] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0069.054] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0069.054] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0069.054] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0069.054] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data\\*") returned 37 [0069.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0xffffffff [0069.054] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0069.054] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0069.054] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0069.054] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0069.054] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0069.054] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0069.054] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0069.054] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0069.054] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0069.054] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop\\*") returned 28 [0069.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0xffffffff [0069.054] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0069.054] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0069.054] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0069.054] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0069.054] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0069.054] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0069.054] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0069.055] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0069.055] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0069.055] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents\\*") returned 30 [0069.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0xffffffff [0069.055] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0069.055] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0069.055] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0069.055] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0069.055] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0069.055] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0069.055] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites") returned 28 [0069.055] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0069.055] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0069.055] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites\\*") returned 30 [0069.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Favorites\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0xffffffff [0069.055] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0069.055] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0069.055] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0069.055] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0069.055] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0069.055] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0069.055] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0069.055] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0069.055] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0069.055] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned 30 [0069.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0069.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.056] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\.") returned 30 [0069.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.056] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0069.056] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.056] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0069.056] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0069.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\." (normalized: "c:\\programdata\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.056] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.056] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.056] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.056] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\..") returned 31 [0069.056] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.057] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.057] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0069.057] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.057] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0069.057] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ef194*=0x30) returned 1 [0069.057] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.057] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.057] lstrcmpiW (lpString1="Assistance", lpString2="Windows") returned -1 [0069.057] lstrcmpiW (lpString1="Assistance", lpString2="Program Files") returned -1 [0069.057] lstrcmpiW (lpString1="Assistance", lpString2="Program Files (x86)") returned -1 [0069.057] lstrcmpiW (lpString1="Assistance", lpString2="$Recycle.bin") returned 1 [0069.057] lstrcmpiW (lpString1="Assistance", lpString2="System Volume Information") returned -1 [0069.057] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned 39 [0069.057] lstrcmpW (lpString1="Assistance", lpString2=".") returned 1 [0069.057] lstrcmpW (lpString1="Assistance", lpString2="..") returned 1 [0069.058] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*") returned 41 [0069.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.058] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.058] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.058] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\.") returned 41 [0069.058] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.058] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.059] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.059] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.059] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.059] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\..") returned 42 [0069.059] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.059] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.059] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.059] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0069.059] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0069.059] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0069.059] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0069.059] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0069.059] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned 46 [0069.059] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0069.059] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0069.059] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*") returned 48 [0069.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.059] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.059] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.059] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.059] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.059] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.059] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\.") returned 48 [0069.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.060] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.060] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.060] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.060] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.060] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.060] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.060] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\..") returned 49 [0069.060] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.060] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.060] lstrcmpiW (lpString1="1.0", lpString2="Windows") returned -1 [0069.060] lstrcmpiW (lpString1="1.0", lpString2="Program Files") returned -1 [0069.060] lstrcmpiW (lpString1="1.0", lpString2="Program Files (x86)") returned -1 [0069.060] lstrcmpiW (lpString1="1.0", lpString2="$Recycle.bin") returned 1 [0069.060] lstrcmpiW (lpString1="1.0", lpString2="System Volume Information") returned -1 [0069.060] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned 50 [0069.060] lstrcmpW (lpString1="1.0", lpString2=".") returned 1 [0069.060] lstrcmpW (lpString1="1.0", lpString2="..") returned 1 [0069.060] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*") returned 52 [0069.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.060] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.060] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.061] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.061] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.061] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.061] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\.") returned 52 [0069.061] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.061] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.061] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.061] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.061] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.061] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.061] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.061] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\..") returned 53 [0069.061] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.061] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.061] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.061] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0069.061] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0069.061] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0069.061] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0069.061] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0069.061] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 56 [0069.061] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0069.061] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0069.061] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned 58 [0069.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0069.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.064] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\.") returned 58 [0069.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.064] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.064] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.065] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\..") returned 59 [0069.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.065] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.065] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Windows") returned -1 [0069.065] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files") returned -1 [0069.065] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files (x86)") returned -1 [0069.065] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="$Recycle.bin") returned 1 [0069.065] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="System Volume Information") returned -1 [0069.065] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0069.065] StrStrIW (lpFirst="Help_CValidator.H1D", lpSrch=".protected") returned 0x0 [0069.065] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.065] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.065] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0069.066] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".txt") returned 0x0 [0069.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0069.066] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".rar") returned 0x0 [0069.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0069.066] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".zip") returned 0x0 [0069.066] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.067] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.067] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.068] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.068] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.068] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.068] CloseHandle (hObject=0x1e4) returned 1 [0069.068] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.protected") returned 86 [0069.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d.protected")) returned 1 [0069.069] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.069] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Windows") returned -1 [0069.069] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files") returned -1 [0069.069] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files (x86)") returned -1 [0069.069] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="$Recycle.bin") returned 1 [0069.069] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="System Volume Information") returned -1 [0069.069] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0069.069] StrStrIW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".protected") returned 0x0 [0069.069] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.069] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.069] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.069] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.070] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0069.070] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".txt") returned 0x0 [0069.070] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0069.070] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".rar") returned 0x0 [0069.070] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0069.070] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".zip") returned 0x0 [0069.070] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.142] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.142] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.142] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.142] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.144] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.145] CloseHandle (hObject=0x1e4) returned 1 [0069.145] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.protected") returned 88 [0069.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w.protected")) returned 1 [0069.145] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.145] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Windows") returned -1 [0069.145] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files") returned -1 [0069.145] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files (x86)") returned -1 [0069.145] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="$Recycle.bin") returned 1 [0069.146] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="System Volume Information") returned -1 [0069.146] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0069.146] StrStrIW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".protected") returned 0x0 [0069.146] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.146] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.146] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.146] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.147] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0069.147] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".txt") returned 0x0 [0069.147] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0069.147] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".rar") returned 0x0 [0069.147] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0069.147] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".zip") returned 0x0 [0069.147] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.155] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.155] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.155] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.155] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.174] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.174] CloseHandle (hObject=0x1e4) returned 1 [0069.174] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.protected") returned 88 [0069.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w.protected")) returned 1 [0069.174] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.174] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Windows") returned -1 [0069.175] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files") returned -1 [0069.175] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files (x86)") returned -1 [0069.175] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="$Recycle.bin") returned 1 [0069.175] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="System Volume Information") returned -1 [0069.175] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0069.175] StrStrIW (lpFirst="Help_MTOC_help.H1H", lpSrch=".protected") returned 0x0 [0069.175] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.175] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.175] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.175] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.175] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0069.175] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".txt") returned 0x0 [0069.175] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0069.175] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".rar") returned 0x0 [0069.175] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0069.175] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".zip") returned 0x0 [0069.175] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.199] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.199] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.199] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.200] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.327] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.328] CloseHandle (hObject=0x1e4) returned 1 [0069.328] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.protected") returned 85 [0069.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h.protected")) returned 1 [0069.328] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.328] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Windows") returned -1 [0069.328] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files") returned -1 [0069.328] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files (x86)") returned -1 [0069.328] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="$Recycle.bin") returned 1 [0069.329] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="System Volume Information") returned -1 [0069.329] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0069.329] StrStrIW (lpFirst="Help_MValidator.H1D", lpSrch=".protected") returned 0x0 [0069.329] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.329] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.329] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.329] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0069.329] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".txt") returned 0x0 [0069.329] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0069.329] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".rar") returned 0x0 [0069.329] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0069.329] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".zip") returned 0x0 [0069.329] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.331] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.331] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.331] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.331] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.331] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.331] CloseHandle (hObject=0x1e4) returned 1 [0069.332] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.protected") returned 86 [0069.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d.protected")) returned 1 [0069.332] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.332] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Windows") returned -1 [0069.332] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files") returned -1 [0069.332] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files (x86)") returned -1 [0069.332] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$Recycle.bin") returned 1 [0069.332] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="System Volume Information") returned -1 [0069.332] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0069.332] StrStrIW (lpFirst="Help_MValidator.Lck", lpSrch=".protected") returned 0x0 [0069.332] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.333] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.333] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.333] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0069.333] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".txt") returned 0x0 [0069.333] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0069.333] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".rar") returned 0x0 [0069.333] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0069.333] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".zip") returned 0x0 [0069.333] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.334] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffffffc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.334] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.334] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.334] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.334] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.334] CloseHandle (hObject=0x1e4) returned 1 [0069.334] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.protected") returned 86 [0069.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck.protected")) returned 1 [0069.335] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.335] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Windows") returned -1 [0069.335] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files") returned -1 [0069.335] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files (x86)") returned -1 [0069.335] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="$Recycle.bin") returned 1 [0069.335] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="System Volume Information") returned -1 [0069.335] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0069.335] StrStrIW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".protected") returned 0x0 [0069.335] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.335] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.335] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.335] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0069.336] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0069.336] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".txt") returned 0x0 [0069.336] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0069.336] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".rar") returned 0x0 [0069.336] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0069.336] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".zip") returned 0x0 [0069.336] ReadFile (in: hFile=0x1e4, lpBuffer=0x5e8720, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.342] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.342] WriteFile (in: hFile=0x1e4, lpBuffer=0x5e8720*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5e8720*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0069.343] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.343] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0069.465] WriteFile (in: hFile=0x1e4, lpBuffer=0x568560*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x568560*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0069.465] CloseHandle (hObject=0x1e4) returned 1 [0069.465] wnsprintfW (in: pszDest=0x5e8720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected") returned 113 [0069.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.protected" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q.protected")) returned 1 [0069.466] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0069.466] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0069.466] wnsprintfW (in: pszDest=0x5d76d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 86 [0069.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.469] lstrlenA (lpString="EMPTY") returned 5 [0069.469] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0069.469] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.470] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.470] CloseHandle (hObject=0x1e0) returned 1 [0069.470] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.470] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.470] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 80 [0069.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.470] lstrlenA (lpString="EMPTY") returned 5 [0069.470] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.471] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.471] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.472] CloseHandle (hObject=0x1dc) returned 1 [0069.472] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.472] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.472] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 76 [0069.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.473] lstrlenA (lpString="EMPTY") returned 5 [0069.473] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.473] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.474] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.474] CloseHandle (hObject=0x1d8) returned 1 [0069.474] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.474] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.474] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0069.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.474] lstrlenA (lpString="EMPTY") returned 5 [0069.474] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.475] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.475] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.475] CloseHandle (hObject=0x1d4) returned 1 [0069.475] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.475] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0069.475] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0069.476] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0069.476] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0069.476] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0069.476] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0069.476] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0069.476] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0069.476] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned 37 [0069.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.476] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\.") returned 37 [0069.476] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.476] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.476] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.476] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.476] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.476] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.476] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.476] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\..") returned 38 [0069.476] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.476] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.476] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.476] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0069.476] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0069.477] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0069.477] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0069.477] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0069.477] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0069.477] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0069.477] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0069.477] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned 41 [0069.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.477] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.477] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.477] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\.") returned 41 [0069.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.477] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.477] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\..") returned 42 [0069.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.477] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.477] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0069.478] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0069.478] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0069.478] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0069.478] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0069.478] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0069.478] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0069.478] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0069.478] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 53 [0069.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.479] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.479] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.479] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.479] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.479] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.479] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 53 [0069.479] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.479] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.479] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.479] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.479] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.479] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.479] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.479] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 54 [0069.479] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.479] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.479] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.479] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.479] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0069.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.480] lstrlenA (lpString="EMPTY") returned 5 [0069.480] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.481] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.481] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.481] CloseHandle (hObject=0x1dc) returned 1 [0069.481] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.481] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.481] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0069.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.482] lstrlenA (lpString="EMPTY") returned 5 [0069.482] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.482] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.482] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.482] CloseHandle (hObject=0x1d8) returned 1 [0069.483] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.483] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0069.483] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0069.483] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0069.483] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0069.483] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0069.483] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0069.483] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0069.483] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0069.483] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned 42 [0069.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.484] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.") returned 42 [0069.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.484] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0069.484] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.484] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0069.484] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0069.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.484] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.484] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..") returned 43 [0069.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.484] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0069.485] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.485] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0069.485] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0069.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.485] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.485] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.485] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 70 [0069.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.486] lstrlenA (lpString="EMPTY") returned 5 [0069.486] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.487] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.487] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.487] CloseHandle (hObject=0x1d8) returned 1 [0069.487] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.487] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0069.487] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0069.487] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0069.487] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0069.487] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0069.487] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0069.487] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0069.487] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0069.487] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned 41 [0069.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.488] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\.") returned 41 [0069.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.488] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.488] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\..") returned 42 [0069.488] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.488] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.488] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0069.488] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0069.488] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0069.488] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0069.488] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0069.488] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0069.488] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0069.488] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0069.488] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 53 [0069.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.489] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.489] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.489] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 53 [0069.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.489] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.489] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.489] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.489] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 54 [0069.489] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.489] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.489] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.489] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.489] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0069.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.490] lstrlenA (lpString="EMPTY") returned 5 [0069.490] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.490] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.490] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.491] CloseHandle (hObject=0x1dc) returned 1 [0069.491] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.491] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0069.491] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0069.491] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0069.491] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0069.491] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0069.491] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0069.491] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0069.491] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0069.491] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 50 [0069.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.492] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 50 [0069.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.492] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0069.492] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.492] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.492] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x568560*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x568560*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.493] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.493] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.493] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.493] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.493] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.493] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.493] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 51 [0069.493] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.493] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0069.493] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.493] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.493] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.493] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.493] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0069.493] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0069.493] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0069.493] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0069.493] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0069.493] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.493] StrStrIW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0069.493] lstrcmpW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.493] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.493] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.494] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.494] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0069.494] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.494] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0069.494] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.494] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0069.494] ReadFile (in: hFile=0x1e0, lpBuffer=0x5d86d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d86d0*, lpNumberOfBytesRead=0x2ee888*=0x2f, lpOverlapped=0x0) returned 1 [0069.500] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffffd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.500] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d86d0*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d86d0*, lpNumberOfBytesWritten=0x2ee888*=0x2f, lpOverlapped=0x0) returned 1 [0069.500] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.500] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0069.500] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0069.501] CloseHandle (hObject=0x1e0) returned 1 [0069.501] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 128 [0069.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0069.634] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.634] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0069.634] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0069.634] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0069.634] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0069.634] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0069.634] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.634] StrStrIW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".protected") returned 0x0 [0069.635] lstrcmpW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.635] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.635] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.635] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.635] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0069.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.635] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".rar") returned 0x0 [0069.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0069.635] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".zip") returned 0x0 [0069.635] ReadFile (in: hFile=0x1e0, lpBuffer=0x5d86d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d86d0*, lpNumberOfBytesRead=0x2ee888*=0x41d, lpOverlapped=0x0) returned 1 [0069.748] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xfffffbe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.748] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d86d0*, nNumberOfBytesToWrite=0x41d, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d86d0*, lpNumberOfBytesWritten=0x2ee888*=0x41d, lpOverlapped=0x0) returned 1 [0069.748] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.748] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0069.748] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0069.748] CloseHandle (hObject=0x1e0) returned 1 [0069.749] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected") returned 128 [0069.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.protected")) returned 1 [0069.749] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.749] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.749] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 78 [0069.749] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.752] lstrlenA (lpString="EMPTY") returned 5 [0069.752] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.753] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.753] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.753] CloseHandle (hObject=0x1dc) returned 1 [0069.754] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.755] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.755] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0069.755] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.763] lstrlenA (lpString="EMPTY") returned 5 [0069.763] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.764] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.764] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.764] CloseHandle (hObject=0x1d8) returned 1 [0069.764] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.764] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.764] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 65 [0069.764] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.766] lstrlenA (lpString="EMPTY") returned 5 [0069.766] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.767] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.767] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.767] CloseHandle (hObject=0x1d4) returned 1 [0069.767] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.767] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0069.767] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0069.767] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0069.767] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0069.767] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0069.767] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0069.767] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0069.767] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0069.768] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned 43 [0069.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.768] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.768] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.768] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.768] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.768] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.768] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\.") returned 43 [0069.768] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.768] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.768] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.768] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.768] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.768] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.768] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.768] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\..") returned 44 [0069.768] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.768] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.768] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0069.768] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0069.769] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0069.769] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0069.769] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0069.769] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0069.769] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0069.769] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0069.769] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned 50 [0069.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.771] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\.") returned 50 [0069.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.771] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.771] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.771] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.771] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.771] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.771] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.771] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\..") returned 51 [0069.771] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.771] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.771] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0069.771] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0069.771] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0069.771] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0069.771] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0069.771] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0069.771] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0069.771] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0069.771] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 89 [0069.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.808] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.808] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.808] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.808] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.808] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.808] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 89 [0069.808] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.808] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.808] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.808] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.808] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.808] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.808] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.808] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 90 [0069.808] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.809] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.809] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.809] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0069.809] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0069.809] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0069.809] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0069.809] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0069.809] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0069.809] StrStrIW (lpFirst="background.png", lpSrch=".protected") returned 0x0 [0069.809] lstrcmpW (lpString1="background.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.809] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.809] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.809] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.809] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0069.809] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0069.809] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0069.809] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0069.809] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0069.809] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0069.809] StrStrIW (lpFirst="behavior.xml", lpSrch=".protected") returned 0x0 [0069.809] lstrcmpW (lpString1="behavior.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.809] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.809] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.814] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.814] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0069.814] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0069.814] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0069.814] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0069.814] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0069.814] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0069.814] StrStrIW (lpFirst="device.png", lpSrch=".protected") returned 0x0 [0069.814] lstrcmpW (lpString1="device.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.815] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.815] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.815] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.815] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.815] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0069.815] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0069.815] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0069.815] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0069.815] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0069.815] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0069.815] StrStrIW (lpFirst="overlay.png", lpSrch=".protected") returned 0x0 [0069.815] lstrcmpW (lpString1="overlay.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.815] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.815] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.815] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.815] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.815] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0069.815] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0069.815] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0069.815] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0069.815] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0069.815] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0069.815] StrStrIW (lpFirst="superbar.png", lpSrch=".protected") returned 0x0 [0069.815] lstrcmpW (lpString1="superbar.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.815] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.816] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.816] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.828] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.828] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.829] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 117 [0069.829] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.830] lstrlenA (lpString="EMPTY") returned 5 [0069.830] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.831] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.831] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.831] CloseHandle (hObject=0x1dc) returned 1 [0069.831] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.831] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0069.832] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0069.832] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0069.832] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0069.832] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0069.832] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0069.832] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0069.832] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0069.832] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 89 [0069.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.832] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.832] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.832] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.832] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.832] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 89 [0069.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.832] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.832] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.832] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.832] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 90 [0069.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.832] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.832] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0069.832] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0069.833] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0069.833] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0069.833] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0069.833] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0069.833] StrStrIW (lpFirst="background.png", lpSrch=".protected") returned 0x0 [0069.833] lstrcmpW (lpString1="background.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.833] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.833] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.833] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.833] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.833] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0069.833] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0069.833] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0069.833] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0069.833] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0069.833] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0069.833] StrStrIW (lpFirst="behavior.xml", lpSrch=".protected") returned 0x0 [0069.833] lstrcmpW (lpString1="behavior.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.833] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.833] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.833] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.833] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.833] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0069.833] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0069.834] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0069.834] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0069.834] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0069.834] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0069.834] StrStrIW (lpFirst="watermark.png", lpSrch=".protected") returned 0x0 [0069.834] lstrcmpW (lpString1="watermark.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.834] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.834] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.834] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.834] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.834] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.836] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 117 [0069.836] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.877] lstrlenA (lpString="EMPTY") returned 5 [0069.877] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.877] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.877] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.877] CloseHandle (hObject=0x1dc) returned 1 [0069.878] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.878] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.878] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 78 [0069.878] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.913] lstrlenA (lpString="EMPTY") returned 5 [0069.913] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.913] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.913] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.914] CloseHandle (hObject=0x1d8) returned 1 [0069.914] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.914] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0069.914] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0069.914] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0069.914] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0069.914] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0069.914] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0069.914] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0069.914] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0069.914] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned 48 [0069.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.914] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.915] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\.") returned 48 [0069.915] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.915] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.915] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.915] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.915] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.915] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.915] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.915] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\..") returned 49 [0069.915] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.915] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.915] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.915] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0069.915] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0069.915] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0069.915] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0069.915] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0069.915] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0069.915] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0069.915] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0069.915] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 87 [0069.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.918] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.918] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.918] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.918] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.918] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.918] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 87 [0069.918] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.918] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.918] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.918] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.918] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.918] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.918] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.918] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 88 [0069.918] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.918] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.918] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.918] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0069.918] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0069.918] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0069.918] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0069.918] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0069.918] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0069.918] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0069.918] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0069.918] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 93 [0069.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0069.919] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.919] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.919] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.919] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.919] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.919] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 93 [0069.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.919] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.919] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.919] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.919] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.919] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.919] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.919] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 94 [0069.919] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.919] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.919] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0069.919] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0069.919] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0069.919] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0069.919] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0069.919] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0069.919] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0069.919] lstrcmpW (lpString1="resource.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.919] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.919] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.919] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.920] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0069.920] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0069.920] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0069.920] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.921] lstrlenA (lpString="EMPTY") returned 5 [0069.921] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0069.922] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.922] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.922] CloseHandle (hObject=0x1e0) returned 1 [0069.923] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.923] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0069.923] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0069.923] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0069.923] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0069.923] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0069.923] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0069.923] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0069.923] lstrcmpW (lpString1="folder.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.923] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.923] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.923] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.924] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.924] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0069.924] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0069.924] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0069.924] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0069.924] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0069.924] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0069.924] StrStrIW (lpFirst="netfol.ico", lpSrch=".protected") returned 0x0 [0069.924] lstrcmpW (lpString1="netfol.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.924] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.924] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.924] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.924] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.924] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0069.924] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0069.924] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0069.924] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0069.924] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0069.924] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0069.924] StrStrIW (lpFirst="pictures.ico", lpSrch=".protected") returned 0x0 [0069.924] lstrcmpW (lpString1="pictures.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.924] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.924] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.925] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.925] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.925] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0069.925] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0069.925] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0069.925] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0069.925] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0069.925] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0069.925] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0069.925] lstrcmpW (lpString1="resource.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.925] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.925] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.925] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.926] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.926] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0069.926] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0069.926] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0069.926] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0069.926] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0069.926] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0069.926] StrStrIW (lpFirst="ringtones.ico", lpSrch=".protected") returned 0x0 [0069.926] lstrcmpW (lpString1="ringtones.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.926] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.926] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.926] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.926] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.926] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0069.926] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0069.926] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0069.926] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0069.926] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0069.926] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0069.926] StrStrIW (lpFirst="settings.ico", lpSrch=".protected") returned 0x0 [0069.926] lstrcmpW (lpString1="settings.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.927] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.927] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.927] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.927] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.927] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0069.927] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0069.927] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0069.927] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0069.927] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0069.927] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0069.927] StrStrIW (lpFirst="sync.ico", lpSrch=".protected") returned 0x0 [0069.927] lstrcmpW (lpString1="sync.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.927] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.927] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.927] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.927] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.927] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0069.927] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0069.927] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0069.927] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0069.927] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0069.927] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0069.927] StrStrIW (lpFirst="tasks.xml", lpSrch=".protected") returned 0x0 [0069.928] lstrcmpW (lpString1="tasks.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.928] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.928] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.928] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.928] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.928] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0069.928] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0069.928] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0069.928] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0069.929] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0069.929] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0069.929] StrStrIW (lpFirst="wmp.ico", lpSrch=".protected") returned 0x0 [0069.929] lstrcmpW (lpString1="wmp.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.929] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.929] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.929] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.929] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.929] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.929] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 115 [0069.929] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.929] lstrlenA (lpString="EMPTY") returned 5 [0069.929] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.930] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.930] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.931] CloseHandle (hObject=0x1dc) returned 1 [0069.931] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.931] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0069.931] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0069.931] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0069.931] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0069.931] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0069.931] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0069.931] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0069.931] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0069.931] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 87 [0069.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.933] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.933] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.933] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 87 [0069.933] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.933] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.933] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.933] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.933] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.933] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.933] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 88 [0069.933] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.933] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.933] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0069.933] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0069.933] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0069.933] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0069.934] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0069.934] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0069.934] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0069.934] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0069.934] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 93 [0069.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0069.934] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.934] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.934] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.934] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.934] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.934] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 93 [0069.934] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.934] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.934] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.934] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.934] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.934] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.934] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.934] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 94 [0069.934] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.934] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.934] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0069.934] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0069.934] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0069.934] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0069.934] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0069.934] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0069.934] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0069.934] StrStrIW (lpFirst="resource.xml", lpSrch=".protected") returned 0x0 [0069.934] lstrcmpW (lpString1="resource.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.934] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0069.934] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0069.934] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.935] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0069.935] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0069.935] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0069.935] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.936] lstrlenA (lpString="EMPTY") returned 5 [0069.936] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0069.937] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.937] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.937] CloseHandle (hObject=0x1e0) returned 1 [0069.937] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.937] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0069.937] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0069.937] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0069.937] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0069.937] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0069.937] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0069.937] StrStrIW (lpFirst="folder.ico", lpSrch=".protected") returned 0x0 [0069.937] lstrcmpW (lpString1="folder.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.937] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.937] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.937] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.937] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.937] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0069.937] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0069.937] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0069.937] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0069.938] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0069.938] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0069.938] StrStrIW (lpFirst="print_pref.ico", lpSrch=".protected") returned 0x0 [0069.938] lstrcmpW (lpString1="print_pref.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.938] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.938] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.938] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.938] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.938] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0069.938] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0069.938] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0069.938] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0069.938] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0069.938] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0069.938] StrStrIW (lpFirst="print_property.ico", lpSrch=".protected") returned 0x0 [0069.938] lstrcmpW (lpString1="print_property.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.938] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.938] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.938] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.938] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.938] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0069.938] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0069.938] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0069.938] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0069.938] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0069.938] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0069.938] StrStrIW (lpFirst="print_queue.ico", lpSrch=".protected") returned 0x0 [0069.938] lstrcmpW (lpString1="print_queue.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.938] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.938] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.939] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.939] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.939] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0069.939] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0069.939] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0069.939] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0069.939] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0069.939] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0069.939] StrStrIW (lpFirst="scan_.ico", lpSrch=".protected") returned 0x0 [0069.939] lstrcmpW (lpString1="scan_.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.939] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.939] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.939] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.939] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.940] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0069.940] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0069.940] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0069.940] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0069.940] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0069.940] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0069.940] StrStrIW (lpFirst="scan_property.ico", lpSrch=".protected") returned 0x0 [0069.940] lstrcmpW (lpString1="scan_property.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.940] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.940] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.940] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.940] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.940] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0069.940] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0069.940] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0069.940] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0069.940] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0069.940] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0069.940] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".protected") returned 0x0 [0069.940] lstrcmpW (lpString1="scan_settings.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.940] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.940] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.940] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.940] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.940] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0069.940] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0069.940] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0069.940] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0069.940] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0069.940] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0069.940] StrStrIW (lpFirst="tasks.xml", lpSrch=".protected") returned 0x0 [0069.941] lstrcmpW (lpString1="tasks.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.941] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0069.941] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0069.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.941] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.941] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.941] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 115 [0069.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.941] lstrlenA (lpString="EMPTY") returned 5 [0069.941] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.942] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.942] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.942] CloseHandle (hObject=0x1dc) returned 1 [0069.942] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.942] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.942] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 76 [0069.942] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.948] lstrlenA (lpString="EMPTY") returned 5 [0069.948] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.949] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.949] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.949] CloseHandle (hObject=0x1d8) returned 1 [0069.949] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.949] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.949] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 71 [0069.949] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.950] lstrlenA (lpString="EMPTY") returned 5 [0069.950] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.951] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.951] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.951] CloseHandle (hObject=0x1d4) returned 1 [0069.951] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.951] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0069.951] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0069.951] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0069.951] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0069.951] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0069.951] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0069.951] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0069.951] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0069.951] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned 41 [0069.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.954] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.954] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.954] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.954] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.954] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.954] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\.") returned 41 [0069.954] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.954] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.955] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.955] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.955] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.955] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.955] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.955] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\..") returned 42 [0069.955] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.955] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.955] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.955] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.955] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0069.955] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.956] lstrlenA (lpString="EMPTY") returned 5 [0069.956] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.956] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.956] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.957] CloseHandle (hObject=0x1d4) returned 1 [0069.957] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.957] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0069.957] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0069.957] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0069.957] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0069.957] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0069.957] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0069.957] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0069.957] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0069.957] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned 34 [0069.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.957] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.957] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.957] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.957] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.957] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.957] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\.") returned 34 [0069.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.957] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.957] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.957] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.957] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.957] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.957] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.957] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\..") returned 35 [0069.957] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.958] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.958] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0069.958] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0069.958] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0069.958] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0069.958] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0069.958] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0069.958] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0069.958] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0069.958] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned 41 [0069.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.958] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.") returned 41 [0069.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.958] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0069.958] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.958] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0069.958] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0069.958] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\." (normalized: "c:\\programdata\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.958] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.958] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..") returned 42 [0069.958] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.958] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0069.959] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0069.959] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0069.959] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0069.959] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0069.959] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.959] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.959] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0069.959] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.959] lstrlenA (lpString="EMPTY") returned 5 [0069.959] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.960] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.960] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.960] CloseHandle (hObject=0x1d8) returned 1 [0069.960] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.960] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.960] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 62 [0069.960] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\drm\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.961] lstrlenA (lpString="EMPTY") returned 5 [0069.961] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.962] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.962] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.962] CloseHandle (hObject=0x1d4) returned 1 [0069.962] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.962] lstrcmpiW (lpString1="eHome", lpString2="Windows") returned -1 [0069.962] lstrcmpiW (lpString1="eHome", lpString2="Program Files") returned -1 [0069.962] lstrcmpiW (lpString1="eHome", lpString2="Program Files (x86)") returned -1 [0069.962] lstrcmpiW (lpString1="eHome", lpString2="$Recycle.bin") returned 1 [0069.962] lstrcmpiW (lpString1="eHome", lpString2="System Volume Information") returned -1 [0069.962] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned 34 [0069.962] lstrcmpW (lpString1="eHome", lpString2=".") returned 1 [0069.962] lstrcmpW (lpString1="eHome", lpString2="..") returned 1 [0069.962] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*") returned 36 [0069.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.962] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.962] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.962] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.962] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.962] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.962] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\.") returned 36 [0069.962] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.962] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.963] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.963] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.963] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.963] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.963] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\..") returned 37 [0069.963] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.963] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.963] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0069.963] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0069.963] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0069.963] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0069.963] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0069.963] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned 39 [0069.963] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0069.963] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0069.963] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*") returned 41 [0069.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.963] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.963] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.963] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.963] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\.") returned 41 [0069.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.963] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.963] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.963] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.963] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.963] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.963] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.963] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\..") returned 42 [0069.963] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.963] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.963] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.963] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0069.964] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\logs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.964] lstrlenA (lpString="EMPTY") returned 5 [0069.964] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.964] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.964] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.965] CloseHandle (hObject=0x1d8) returned 1 [0069.965] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.965] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.965] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 64 [0069.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.966] lstrlenA (lpString="EMPTY") returned 5 [0069.966] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.966] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.966] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.966] CloseHandle (hObject=0x1d4) returned 1 [0069.966] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.966] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0069.966] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0069.966] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0069.966] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0069.966] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0069.967] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned 41 [0069.967] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0069.967] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0069.967] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*") returned 43 [0069.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.968] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.968] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.968] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.968] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.968] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.968] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\.") returned 43 [0069.968] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.968] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.968] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.968] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.968] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.968] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.968] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.968] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\..") returned 44 [0069.968] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.968] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.968] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.968] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0069.968] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0069.968] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0069.968] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0069.968] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0069.968] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned 47 [0069.968] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0069.968] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0069.968] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*") returned 49 [0069.968] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0069.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.969] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.969] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.969] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.969] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.969] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\.") returned 49 [0069.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.969] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.969] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.969] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.969] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.969] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.969] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\..") returned 50 [0069.969] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.969] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.969] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0069.969] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0069.969] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0069.969] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0069.969] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0069.969] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0069.969] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 72 [0069.969] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0069.969] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0069.969] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 74 [0069.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0069.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.969] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.969] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.969] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.969] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.969] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 74 [0069.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.969] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0069.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.969] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.970] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.970] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.970] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.970] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 75 [0069.970] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.970] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0069.970] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0069.970] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 102 [0069.970] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0069.970] lstrlenA (lpString="EMPTY") returned 5 [0069.970] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0069.971] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.971] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0069.971] CloseHandle (hObject=0x1dc) returned 1 [0069.971] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0069.971] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0069.971] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 77 [0069.971] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.974] lstrlenA (lpString="EMPTY") returned 5 [0069.974] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0069.975] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.975] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0069.975] CloseHandle (hObject=0x1d8) returned 1 [0069.975] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0069.975] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0069.975] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 71 [0069.975] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0069.975] lstrlenA (lpString="EMPTY") returned 5 [0069.975] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0069.976] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0069.976] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0069.976] CloseHandle (hObject=0x1d4) returned 1 [0069.976] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0069.976] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0069.976] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0069.976] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0069.976] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0069.976] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0069.976] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0069.976] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0069.976] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0069.977] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned 42 [0069.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0069.977] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0069.977] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0069.977] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0069.977] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0069.977] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0069.977] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\.") returned 42 [0069.977] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0069.977] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.977] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0069.977] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0069.977] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0069.977] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0069.977] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0069.977] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\..") returned 43 [0069.977] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0069.977] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0069.977] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0069.977] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Windows") returned -1 [0069.977] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files") returned -1 [0069.977] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files (x86)") returned -1 [0069.977] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="$Recycle.bin") returned 1 [0069.977] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="System Volume Information") returned -1 [0069.977] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0069.977] StrStrIW (lpFirst="ppcrlconfig.dll", lpSrch=".protected") returned 0x0 [0069.977] lstrcmpW (lpString1="ppcrlconfig.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0069.977] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0069.977] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0069.977] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0069.978] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0069.978] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".txt") returned 0x0 [0069.978] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0069.978] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".rar") returned 0x0 [0069.978] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0069.978] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".zip") returned 0x0 [0069.978] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.029] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.029] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.030] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.030] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.064] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.064] CloseHandle (hObject=0x1d8) returned 1 [0070.064] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.protected") returned 66 [0070.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.protected" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll.protected")) returned 1 [0070.065] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.065] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Windows") returned -1 [0070.065] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files") returned -1 [0070.065] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files (x86)") returned -1 [0070.065] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="$Recycle.bin") returned 1 [0070.065] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="System Volume Information") returned -1 [0070.065] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0070.065] StrStrIW (lpFirst="ppcrlui.dll", lpSrch=".protected") returned 0x0 [0070.065] lstrcmpW (lpString1="ppcrlui.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.065] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.065] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0070.066] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".txt") returned 0x0 [0070.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0070.066] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".rar") returned 0x0 [0070.066] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0070.066] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".zip") returned 0x0 [0070.066] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.110] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.110] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.164] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.165] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.165] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.165] CloseHandle (hObject=0x1d8) returned 1 [0070.165] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.protected") returned 62 [0070.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.protected" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll.protected")) returned 1 [0070.166] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0070.166] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0070.166] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 70 [0070.166] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0070.167] lstrlenA (lpString="EMPTY") returned 5 [0070.167] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0070.168] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.168] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0070.168] CloseHandle (hObject=0x1d4) returned 1 [0070.168] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0070.168] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0070.168] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0070.168] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0070.168] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0070.168] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0070.168] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned 41 [0070.168] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0070.168] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0070.168] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*") returned 43 [0070.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0070.169] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.169] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.169] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.169] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.169] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.169] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\.") returned 43 [0070.169] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.169] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.169] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.169] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.169] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.169] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.169] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.169] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\..") returned 44 [0070.169] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.169] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.169] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0070.169] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0070.169] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 71 [0070.169] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\media player\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0070.170] lstrlenA (lpString="EMPTY") returned 5 [0070.170] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0070.170] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.170] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0070.170] CloseHandle (hObject=0x1d4) returned 1 [0070.171] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0070.171] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0070.171] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0070.171] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0070.171] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0070.171] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0070.171] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0070.171] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0070.171] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0070.171] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned 33 [0070.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0070.171] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.171] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.171] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.171] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.171] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.171] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\.") returned 33 [0070.171] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.171] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.171] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.171] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.171] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.171] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.171] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.171] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\..") returned 34 [0070.171] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.171] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.171] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.171] lstrcmpiW (lpString1="Active.GRL", lpString2="Windows") returned -1 [0070.171] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files") returned -1 [0070.171] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files (x86)") returned -1 [0070.172] lstrcmpiW (lpString1="Active.GRL", lpString2="$Recycle.bin") returned 1 [0070.172] lstrcmpiW (lpString1="Active.GRL", lpString2="System Volume Information") returned -1 [0070.172] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0070.172] StrStrIW (lpFirst="Active.GRL", lpSrch=".protected") returned 0x0 [0070.172] lstrcmpW (lpString1="Active.GRL", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0070.172] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.172] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.172] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0070.172] StrStrW (lpFirst="Active.GRL", lpSrch=".txt") returned 0x0 [0070.172] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0070.172] StrStrW (lpFirst="Active.GRL", lpSrch=".rar") returned 0x0 [0070.172] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0070.172] StrStrW (lpFirst="Active.GRL", lpSrch=".zip") returned 0x0 [0070.172] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.262] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.262] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.262] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.262] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.264] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.264] CloseHandle (hObject=0x1d8) returned 1 [0070.264] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.protected") returned 52 [0070.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.protected" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl.protected")) returned 1 [0070.265] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.265] lstrcmpiW (lpString1="Pending.GRL", lpString2="Windows") returned -1 [0070.265] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files") returned -1 [0070.265] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files (x86)") returned -1 [0070.265] lstrcmpiW (lpString1="Pending.GRL", lpString2="$Recycle.bin") returned 1 [0070.265] lstrcmpiW (lpString1="Pending.GRL", lpString2="System Volume Information") returned -1 [0070.265] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0070.265] StrStrIW (lpFirst="Pending.GRL", lpSrch=".protected") returned 0x0 [0070.265] lstrcmpW (lpString1="Pending.GRL", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.265] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.265] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.265] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0070.265] StrStrW (lpFirst="Pending.GRL", lpSrch=".txt") returned 0x0 [0070.265] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0070.265] StrStrW (lpFirst="Pending.GRL", lpSrch=".rar") returned 0x0 [0070.265] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0070.265] StrStrW (lpFirst="Pending.GRL", lpSrch=".zip") returned 0x0 [0070.265] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.291] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.291] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.291] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.292] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.292] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.292] CloseHandle (hObject=0x1d8) returned 1 [0070.293] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.protected") returned 53 [0070.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.protected" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl.protected")) returned 1 [0070.293] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0070.293] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0070.293] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 61 [0070.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\mf\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0070.293] lstrlenA (lpString="EMPTY") returned 5 [0070.293] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0070.294] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.294] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0070.294] CloseHandle (hObject=0x1d4) returned 1 [0070.294] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0070.294] lstrcmpiW (lpString1="MSDN", lpString2="Windows") returned -1 [0070.294] lstrcmpiW (lpString1="MSDN", lpString2="Program Files") returned -1 [0070.294] lstrcmpiW (lpString1="MSDN", lpString2="Program Files (x86)") returned -1 [0070.294] lstrcmpiW (lpString1="MSDN", lpString2="$Recycle.bin") returned 1 [0070.294] lstrcmpiW (lpString1="MSDN", lpString2="System Volume Information") returned -1 [0070.294] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN") returned 33 [0070.294] lstrcmpW (lpString1="MSDN", lpString2=".") returned 1 [0070.294] lstrcmpW (lpString1="MSDN", lpString2="..") returned 1 [0070.294] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*") returned 35 [0070.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0070.295] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.295] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.295] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.295] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.295] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\.") returned 35 [0070.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.295] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.295] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.295] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.295] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.295] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.295] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\..") returned 36 [0070.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.295] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.295] lstrcmpiW (lpString1="8.0", lpString2="Windows") returned -1 [0070.295] lstrcmpiW (lpString1="8.0", lpString2="Program Files") returned -1 [0070.295] lstrcmpiW (lpString1="8.0", lpString2="Program Files (x86)") returned -1 [0070.295] lstrcmpiW (lpString1="8.0", lpString2="$Recycle.bin") returned 1 [0070.295] lstrcmpiW (lpString1="8.0", lpString2="System Volume Information") returned -1 [0070.295] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0") returned 37 [0070.295] lstrcmpW (lpString1="8.0", lpString2=".") returned 1 [0070.295] lstrcmpW (lpString1="8.0", lpString2="..") returned 1 [0070.295] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*") returned 39 [0070.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0070.295] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.295] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.295] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.295] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.295] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\.") returned 39 [0070.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.295] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.296] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.296] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.296] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.296] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.296] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\..") returned 40 [0070.296] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.296] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0070.296] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0070.296] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 67 [0070.296] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\8.0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.296] lstrlenA (lpString="EMPTY") returned 5 [0070.296] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0070.297] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.297] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0070.297] CloseHandle (hObject=0x1d8) returned 1 [0070.297] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0070.297] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0070.297] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 63 [0070.297] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0070.298] lstrlenA (lpString="EMPTY") returned 5 [0070.298] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0070.298] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.298] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0070.298] CloseHandle (hObject=0x1d4) returned 1 [0070.298] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0070.299] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0070.299] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0070.299] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0070.299] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0070.299] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0070.299] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0070.299] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0070.299] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0070.299] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned 43 [0070.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0070.299] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.299] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.299] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.299] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.299] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.299] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\.") returned 43 [0070.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.299] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.299] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.299] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.300] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.300] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.300] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.300] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\..") returned 44 [0070.300] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.300] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.300] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0070.300] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0070.300] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0070.300] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0070.300] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0070.300] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0070.300] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0070.300] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0070.300] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 59 [0070.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0070.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.300] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.300] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.300] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.300] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.300] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 59 [0070.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.300] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.300] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.300] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.300] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.300] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.300] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.300] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 60 [0070.300] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.300] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0070.300] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0070.300] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 87 [0070.300] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.303] lstrlenA (lpString="EMPTY") returned 5 [0070.303] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0070.303] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.303] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0070.303] CloseHandle (hObject=0x1d8) returned 1 [0070.304] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0070.304] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0070.304] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 71 [0070.304] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0070.304] lstrlenA (lpString="EMPTY") returned 5 [0070.304] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0070.305] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.305] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0070.305] CloseHandle (hObject=0x1d4) returned 1 [0070.305] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0070.305] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0070.305] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0070.305] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0070.305] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0070.305] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0070.305] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0070.305] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0070.305] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0070.305] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned 38 [0070.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0070.305] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.305] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.305] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.305] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.305] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.305] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\.") returned 38 [0070.305] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.305] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.305] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.305] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.305] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.305] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.305] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.305] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\..") returned 39 [0070.305] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.306] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.306] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0070.306] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0070.306] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0070.306] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0070.306] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0070.306] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0070.306] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0070.306] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0070.306] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned 50 [0070.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0070.306] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.306] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.306] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.306] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.306] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.306] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\.") returned 50 [0070.306] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.306] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.306] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.306] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.306] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.306] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.306] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.306] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\..") returned 51 [0070.306] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.306] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0070.306] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0070.306] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 78 [0070.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.307] lstrlenA (lpString="EMPTY") returned 5 [0070.307] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0070.308] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.308] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0070.308] CloseHandle (hObject=0x1d8) returned 1 [0070.308] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.308] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0070.308] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0070.308] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0070.308] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0070.308] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0070.308] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0070.308] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0070.308] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0070.308] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned 49 [0070.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0070.308] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.308] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.308] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.308] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.308] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.309] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\.") returned 49 [0070.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.309] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.309] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.309] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.309] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.309] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\..") returned 50 [0070.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.309] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.309] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Windows") returned -1 [0070.309] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files") returned 1 [0070.309] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files (x86)") returned 1 [0070.309] lstrcmpiW (lpString1="qmgr0.dat", lpString2="$Recycle.bin") returned 1 [0070.309] lstrcmpiW (lpString1="qmgr0.dat", lpString2="System Volume Information") returned -1 [0070.309] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0070.309] StrStrIW (lpFirst="qmgr0.dat", lpSrch=".protected") returned 0x0 [0070.309] lstrcmpW (lpString1="qmgr0.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.309] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0070.309] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0070.309] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0070.309] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0070.309] StrStrW (lpFirst="qmgr0.dat", lpSrch=".txt") returned 0x0 [0070.309] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0070.309] StrStrW (lpFirst="qmgr0.dat", lpSrch=".rar") returned 0x0 [0070.309] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0070.309] StrStrW (lpFirst="qmgr0.dat", lpSrch=".zip") returned 0x0 [0070.309] ReadFile (in: hFile=0x1dc, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0070.334] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.335] WriteFile (in: hFile=0x1dc, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0070.335] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.335] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0070.336] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0070.336] CloseHandle (hObject=0x1dc) returned 1 [0070.337] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.protected") returned 67 [0070.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.protected" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat.protected")) returned 1 [0070.338] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.338] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Windows") returned -1 [0070.338] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files") returned 1 [0070.338] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files (x86)") returned 1 [0070.338] lstrcmpiW (lpString1="qmgr1.dat", lpString2="$Recycle.bin") returned 1 [0070.338] lstrcmpiW (lpString1="qmgr1.dat", lpString2="System Volume Information") returned -1 [0070.338] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0070.338] StrStrIW (lpFirst="qmgr1.dat", lpSrch=".protected") returned 0x0 [0070.338] lstrcmpW (lpString1="qmgr1.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.338] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0070.338] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0070.338] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0070.338] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0070.338] StrStrW (lpFirst="qmgr1.dat", lpSrch=".txt") returned 0x0 [0070.338] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0070.338] StrStrW (lpFirst="qmgr1.dat", lpSrch=".rar") returned 0x0 [0070.338] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0070.338] StrStrW (lpFirst="qmgr1.dat", lpSrch=".zip") returned 0x0 [0070.338] ReadFile (in: hFile=0x1dc, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0070.411] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.411] WriteFile (in: hFile=0x1dc, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0070.413] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.413] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0070.414] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0070.414] CloseHandle (hObject=0x1dc) returned 1 [0070.415] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.protected") returned 67 [0070.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.protected" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat.protected")) returned 1 [0070.416] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0070.416] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0070.416] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 77 [0070.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.426] lstrlenA (lpString="EMPTY") returned 5 [0070.426] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0070.427] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.427] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0070.427] CloseHandle (hObject=0x1d8) returned 1 [0070.427] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0070.427] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0070.428] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 66 [0070.428] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\network\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0070.428] lstrlenA (lpString="EMPTY") returned 5 [0070.428] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0070.429] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0070.429] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0070.430] CloseHandle (hObject=0x1d4) returned 1 [0070.430] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0070.430] lstrcmpiW (lpString1="OFFICE", lpString2="Windows") returned -1 [0070.430] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files") returned -1 [0070.430] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files (x86)") returned -1 [0070.430] lstrcmpiW (lpString1="OFFICE", lpString2="$Recycle.bin") returned 1 [0070.430] lstrcmpiW (lpString1="OFFICE", lpString2="System Volume Information") returned -1 [0070.430] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE") returned 35 [0070.430] lstrcmpW (lpString1="OFFICE", lpString2=".") returned 1 [0070.430] lstrcmpW (lpString1="OFFICE", lpString2="..") returned 1 [0070.430] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*") returned 37 [0070.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0070.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.458] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\.") returned 37 [0070.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.458] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.459] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.459] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\..") returned 38 [0070.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.459] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.459] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Windows") returned -1 [0070.459] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files") returned -1 [0070.459] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files (x86)") returned -1 [0070.459] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="$Recycle.bin") returned 1 [0070.459] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="System Volume Information") returned -1 [0070.459] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0070.459] StrStrIW (lpFirst="AssetLibrary.ico", lpSrch=".protected") returned 0x0 [0070.459] lstrcmpW (lpString1="AssetLibrary.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0070.459] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.459] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.459] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.479] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0070.479] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".txt") returned 0x0 [0070.479] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0070.479] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".rar") returned 0x0 [0070.479] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0070.479] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".zip") returned 0x0 [0070.479] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x1536, lpOverlapped=0x0) returned 1 [0070.517] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffeaca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.518] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x1536, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x1536, lpOverlapped=0x0) returned 1 [0070.518] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.518] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.518] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.518] CloseHandle (hObject=0x1d8) returned 1 [0070.518] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.protected") returned 62 [0070.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico.protected")) returned 1 [0070.519] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.519] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Windows") returned -1 [0070.519] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files") returned -1 [0070.519] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files (x86)") returned -1 [0070.519] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="$Recycle.bin") returned 1 [0070.519] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="System Volume Information") returned -1 [0070.519] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0070.519] StrStrIW (lpFirst="DocumentRepository.ico", lpSrch=".protected") returned 0x0 [0070.519] lstrcmpW (lpString1="DocumentRepository.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0070.519] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.519] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.525] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0070.526] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".txt") returned 0x0 [0070.526] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0070.526] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".rar") returned 0x0 [0070.526] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0070.526] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".zip") returned 0x0 [0070.526] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.528] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.528] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.528] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.528] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.528] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.528] CloseHandle (hObject=0x1d8) returned 1 [0070.528] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.protected") returned 68 [0070.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico.protected")) returned 1 [0070.529] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.529] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Windows") returned -1 [0070.529] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files") returned -1 [0070.529] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files (x86)") returned -1 [0070.529] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="$Recycle.bin") returned 1 [0070.529] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="System Volume Information") returned -1 [0070.529] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0070.529] StrStrIW (lpFirst="MySharePoints.ico", lpSrch=".protected") returned 0x0 [0070.529] lstrcmpW (lpString1="MySharePoints.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.529] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.529] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0070.530] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".txt") returned 0x0 [0070.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0070.530] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".rar") returned 0x0 [0070.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0070.530] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".zip") returned 0x0 [0070.530] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.532] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.532] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.532] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.532] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.551] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.551] CloseHandle (hObject=0x1d8) returned 1 [0070.552] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.protected") returned 63 [0070.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.protected")) returned 1 [0070.552] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.552] lstrcmpiW (lpString1="MySite.ico", lpString2="Windows") returned -1 [0070.552] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files") returned -1 [0070.552] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files (x86)") returned -1 [0070.552] lstrcmpiW (lpString1="MySite.ico", lpString2="$Recycle.bin") returned 1 [0070.552] lstrcmpiW (lpString1="MySite.ico", lpString2="System Volume Information") returned -1 [0070.552] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0070.552] StrStrIW (lpFirst="MySite.ico", lpSrch=".protected") returned 0x0 [0070.552] lstrcmpW (lpString1="MySite.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.553] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.553] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0070.615] StrStrW (lpFirst="MySite.ico", lpSrch=".txt") returned 0x0 [0070.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0070.615] StrStrW (lpFirst="MySite.ico", lpSrch=".rar") returned 0x0 [0070.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0070.615] StrStrW (lpFirst="MySite.ico", lpSrch=".zip") returned 0x0 [0070.615] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.637] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.637] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.637] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.637] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.662] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.662] CloseHandle (hObject=0x1d8) returned 1 [0070.662] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.protected") returned 56 [0070.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico.protected")) returned 1 [0070.663] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.663] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Windows") returned -1 [0070.663] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files") returned 1 [0070.663] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files (x86)") returned 1 [0070.663] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="$Recycle.bin") returned 1 [0070.663] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="System Volume Information") returned -1 [0070.663] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0070.663] StrStrIW (lpFirst="SharePointPortalSite.ico", lpSrch=".protected") returned 0x0 [0070.663] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.663] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.663] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.663] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.685] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0070.685] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".txt") returned 0x0 [0070.685] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0070.685] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".rar") returned 0x0 [0070.685] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0070.685] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".zip") returned 0x0 [0070.685] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.687] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.687] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.687] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.687] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.687] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.687] CloseHandle (hObject=0x1d8) returned 1 [0070.687] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.protected") returned 70 [0070.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico.protected")) returned 1 [0070.688] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.688] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Windows") returned -1 [0070.688] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files") returned 1 [0070.688] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files (x86)") returned 1 [0070.688] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="$Recycle.bin") returned 1 [0070.688] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="System Volume Information") returned -1 [0070.688] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0070.688] StrStrIW (lpFirst="SharePointTeamSite.ico", lpSrch=".protected") returned 0x0 [0070.688] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0070.688] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0070.688] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0070.688] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0070.689] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0070.689] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".txt") returned 0x0 [0070.689] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0070.689] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".rar") returned 0x0 [0070.689] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0070.689] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".zip") returned 0x0 [0070.689] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.704] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.704] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0070.704] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.704] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0070.729] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0070.729] CloseHandle (hObject=0x1d8) returned 1 [0070.730] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.protected") returned 68 [0070.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.protected" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico.protected")) returned 1 [0070.730] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0070.730] lstrcmpiW (lpString1="UICaptions", lpString2="Windows") returned -1 [0070.730] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files") returned 1 [0070.730] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files (x86)") returned 1 [0070.730] lstrcmpiW (lpString1="UICaptions", lpString2="$Recycle.bin") returned 1 [0070.730] lstrcmpiW (lpString1="UICaptions", lpString2="System Volume Information") returned 1 [0070.730] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions") returned 46 [0070.730] lstrcmpW (lpString1="UICaptions", lpString2=".") returned 1 [0070.730] lstrcmpW (lpString1="UICaptions", lpString2="..") returned 1 [0070.730] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*") returned 48 [0070.730] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0070.733] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.733] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.733] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.734] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\.") returned 48 [0070.734] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.734] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.734] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0070.734] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0070.734] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0070.734] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0070.734] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0070.734] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\..") returned 49 [0070.734] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0070.734] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0070.734] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0070.734] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0070.734] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0070.734] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0070.734] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0070.734] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0070.734] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036") returned 51 [0070.734] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0070.734] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0070.734] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*") returned 53 [0070.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0070.854] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0070.854] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0070.854] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0070.854] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0070.854] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0070.854] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\.") returned 53 [0070.854] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0070.854] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.028] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0071.028] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0071.028] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0071.028] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0071.028] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0071.028] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\..") returned 54 [0071.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0071.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0071.028] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.028] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0071.028] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0071.028] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.028] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.028] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0071.028] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0071.028] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0071.028] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0071.028] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.028] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.028] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0071.028] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0071.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0071.028] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0071.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0071.028] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0071.028] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.080] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.081] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.081] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.081] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.128] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.128] CloseHandle (hObject=0x1e0) returned 1 [0071.129] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.protected") returned 82 [0071.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll.protected")) returned 1 [0071.129] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.129] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0071.129] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0071.129] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.129] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.129] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0071.129] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0071.129] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0071.130] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0071.130] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.130] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.130] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.130] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0071.130] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0071.131] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0071.131] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0071.131] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0071.131] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0071.131] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.211] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.211] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.211] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.212] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.271] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.271] CloseHandle (hObject=0x1e0) returned 1 [0071.271] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.protected") returned 82 [0071.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll.protected")) returned 1 [0071.272] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.272] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0071.272] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0071.272] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.272] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.272] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0071.272] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0071.272] StrStrIW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0071.272] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0071.272] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.272] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.273] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0071.273] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0071.273] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0071.273] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0071.273] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0071.273] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0071.273] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.365] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.365] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.365] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.365] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.466] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.466] CloseHandle (hObject=0x1e0) returned 1 [0071.467] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.protected") returned 83 [0071.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll.protected")) returned 1 [0071.468] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.468] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0071.468] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0071.468] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.468] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.468] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0071.468] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0071.468] StrStrIW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0071.468] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0071.468] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.468] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.471] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0071.471] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0071.471] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0071.471] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0071.471] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0071.471] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0071.471] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.564] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.564] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.565] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.565] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.566] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.566] CloseHandle (hObject=0x1e0) returned 1 [0071.567] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.protected") returned 79 [0071.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll.protected")) returned 1 [0071.567] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.567] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0071.567] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0071.568] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.568] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.568] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0071.568] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0071.568] StrStrIW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0071.568] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0071.568] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.568] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.569] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0071.569] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0071.569] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0071.569] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0071.569] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0071.569] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0071.569] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.685] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.685] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.686] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.686] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.702] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.702] CloseHandle (hObject=0x1e0) returned 1 [0071.703] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.protected") returned 82 [0071.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll.protected")) returned 1 [0071.704] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0071.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0071.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.704] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0071.704] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0071.704] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0071.704] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0071.704] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.704] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.704] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0071.704] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0071.704] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0071.704] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0071.704] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0071.704] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0071.705] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.806] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.806] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.807] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.807] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.808] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.808] CloseHandle (hObject=0x1e0) returned 1 [0071.808] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.protected") returned 81 [0071.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll.protected")) returned 1 [0071.809] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.809] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0071.809] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0071.809] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.809] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.809] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0071.809] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0071.809] StrStrIW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0071.809] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0071.809] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.809] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.810] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0071.810] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0071.810] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0071.810] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0071.810] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0071.810] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0071.810] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.855] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.855] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.856] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.856] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.857] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.857] CloseHandle (hObject=0x1e0) returned 1 [0071.857] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.protected") returned 82 [0071.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll.protected")) returned 1 [0071.858] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.858] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0071.858] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0071.858] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.858] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.858] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0071.858] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0071.858] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0071.858] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0071.858] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.858] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.858] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.859] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0071.859] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0071.859] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0071.859] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0071.859] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0071.859] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0071.859] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.907] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.907] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0071.949] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.949] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0071.949] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0071.949] CloseHandle (hObject=0x1e0) returned 1 [0071.950] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.protected") returned 81 [0071.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll.protected")) returned 1 [0071.950] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0071.950] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0071.950] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0071.950] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0071.950] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0071.950] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0071.950] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0071.950] StrStrIW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0071.950] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0071.950] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0071.950] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0071.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0071.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0071.951] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0071.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0071.951] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0071.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0071.951] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0071.951] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.015] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.015] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.016] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.016] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.020] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.020] CloseHandle (hObject=0x1e0) returned 1 [0072.055] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.protected") returned 80 [0072.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll.protected")) returned 1 [0072.055] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.055] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0072.055] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0072.055] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0072.055] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.055] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0072.055] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0072.055] StrStrIW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0072.056] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.056] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.056] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0072.056] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0072.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0072.056] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0072.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0072.056] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0072.056] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.113] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.113] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.114] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.114] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.206] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.206] CloseHandle (hObject=0x1e0) returned 1 [0072.277] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.protected") returned 81 [0072.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll.protected")) returned 1 [0072.278] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.278] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0072.278] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0072.278] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0072.278] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.278] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0072.278] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0072.278] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0072.278] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.278] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.278] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.279] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0072.279] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0072.279] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0072.279] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0072.279] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0072.279] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0072.279] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.280] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.280] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.280] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.280] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.545] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.545] CloseHandle (hObject=0x1e0) returned 1 [0072.546] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.protected") returned 82 [0072.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll.protected")) returned 1 [0072.547] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.547] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0072.547] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0072.547] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0072.547] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.547] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0072.547] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0072.547] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".protected") returned 0x0 [0072.547] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.547] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.547] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.547] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.548] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0072.548] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".txt") returned 0x0 [0072.548] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0072.548] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".rar") returned 0x0 [0072.548] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0072.548] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".zip") returned 0x0 [0072.548] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.566] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.566] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.566] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.566] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.588] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.588] CloseHandle (hObject=0x1e0) returned 1 [0072.589] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.protected") returned 83 [0072.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll.protected")) returned 1 [0072.589] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.589] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0072.589] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0072.589] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0072.589] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.589] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0072.589] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0072.590] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0072.590] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.590] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.590] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.590] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0072.590] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0072.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0072.590] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0072.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0072.590] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0072.590] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.665] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.666] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.666] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.666] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.666] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.666] CloseHandle (hObject=0x1e0) returned 1 [0072.667] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.protected") returned 81 [0072.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll.protected")) returned 1 [0072.668] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.668] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0072.668] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0072.668] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0072.668] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.668] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0072.668] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0072.668] StrStrIW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0072.668] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.668] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.668] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.668] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.669] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0072.669] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0072.669] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0072.669] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0072.669] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0072.669] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0072.669] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.684] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.684] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.685] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.685] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.730] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.730] CloseHandle (hObject=0x1e0) returned 1 [0072.742] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.protected") returned 80 [0072.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll.protected")) returned 1 [0072.743] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.743] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0072.743] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0072.743] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0072.743] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.743] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0072.743] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0072.743] StrStrIW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0072.743] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.743] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.743] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.743] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.744] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0072.744] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0072.744] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0072.744] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0072.744] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0072.744] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0072.744] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.809] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.810] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.810] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.810] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.812] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.812] CloseHandle (hObject=0x1e0) returned 1 [0072.813] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.protected") returned 81 [0072.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll.protected")) returned 1 [0072.814] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.814] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0072.814] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0072.814] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0072.814] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.814] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0072.814] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0072.814] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0072.814] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.814] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.814] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0072.818] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0072.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0072.818] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0072.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0072.818] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0072.818] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.820] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.820] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.820] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.820] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.836] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.836] CloseHandle (hObject=0x1e0) returned 1 [0072.837] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.protected") returned 82 [0072.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll.protected")) returned 1 [0072.838] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.838] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0072.838] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0072.838] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0072.838] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.838] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0072.838] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0072.838] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0072.838] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.838] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.838] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.838] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.838] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0072.838] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0072.838] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0072.838] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0072.838] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0072.838] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0072.838] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.894] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.894] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0072.895] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.895] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0072.944] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0072.944] CloseHandle (hObject=0x1e0) returned 1 [0072.945] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.protected") returned 83 [0072.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll.protected")) returned 1 [0072.947] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0072.948] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0072.948] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0072.948] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0072.948] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0072.948] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0072.948] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0072.948] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0072.948] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0072.948] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0072.948] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0072.948] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0072.949] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0072.949] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0072.949] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0072.949] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0072.949] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0072.949] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0072.949] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.059] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.059] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.060] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.061] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.078] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.078] CloseHandle (hObject=0x1e0) returned 1 [0073.078] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.protected") returned 83 [0073.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll.protected")) returned 1 [0073.079] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0073.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0073.079] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0073.079] StrStrIW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.079] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.079] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.079] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.079] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.080] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0073.080] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.080] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0073.080] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.080] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0073.080] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.080] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.096] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.096] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.097] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.097] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.109] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.109] CloseHandle (hObject=0x1e0) returned 1 [0073.110] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.protected") returned 79 [0073.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll.protected")) returned 1 [0073.111] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.111] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0073.111] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.111] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.111] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.111] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0073.111] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0073.111] StrStrIW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.111] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.111] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.111] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.111] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.112] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0073.112] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.112] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0073.112] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.112] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0073.112] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.112] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.114] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.114] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.114] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.114] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.114] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.114] CloseHandle (hObject=0x1e0) returned 1 [0073.115] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.protected") returned 80 [0073.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll.protected")) returned 1 [0073.115] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.115] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0073.115] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.115] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.115] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.116] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0073.116] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0073.116] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.116] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.116] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.116] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.116] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.116] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0073.116] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.116] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0073.116] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.116] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0073.116] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.116] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.209] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.209] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.210] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.210] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.226] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.226] CloseHandle (hObject=0x1e0) returned 1 [0073.227] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.protected") returned 82 [0073.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll.protected")) returned 1 [0073.227] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.227] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0073.227] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.227] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.227] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.227] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0073.227] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0073.227] StrStrIW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.227] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.227] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.227] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.228] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0073.228] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.228] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0073.228] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.228] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0073.228] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.228] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.288] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.289] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.289] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.289] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.374] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.374] CloseHandle (hObject=0x1e0) returned 1 [0073.375] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.protected") returned 81 [0073.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll.protected")) returned 1 [0073.376] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.376] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0073.376] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.376] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.376] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.376] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0073.376] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0073.376] StrStrIW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.376] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.376] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.376] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.376] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.376] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0073.376] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.376] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0073.376] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.376] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0073.376] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.376] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.388] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.388] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.388] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.388] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.389] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.389] CloseHandle (hObject=0x1e0) returned 1 [0073.406] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.protected") returned 80 [0073.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll.protected")) returned 1 [0073.408] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.408] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0073.408] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0073.408] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.408] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.408] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0073.408] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0073.408] StrStrIW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0073.408] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.408] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.408] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.408] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.408] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0073.408] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0073.408] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0073.408] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0073.408] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0073.408] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0073.408] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.438] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.438] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.439] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.439] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.514] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.514] CloseHandle (hObject=0x1e0) returned 1 [0073.532] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.protected") returned 81 [0073.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll.protected")) returned 1 [0073.533] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.533] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0073.533] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.533] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.533] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.533] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0073.533] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0073.533] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.533] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.533] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.533] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0073.534] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0073.534] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0073.534] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.534] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.535] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.535] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.536] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.536] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.572] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.572] CloseHandle (hObject=0x1e0) returned 1 [0073.573] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.protected") returned 82 [0073.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll.protected")) returned 1 [0073.573] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.573] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0073.573] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0073.573] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.573] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.573] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0073.573] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0073.573] StrStrIW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0073.573] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.573] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.573] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.573] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.574] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0073.574] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0073.574] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0073.574] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0073.574] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0073.574] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0073.574] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.577] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.577] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.578] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.578] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.586] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.586] CloseHandle (hObject=0x1e0) returned 1 [0073.596] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.protected") returned 83 [0073.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll.protected")) returned 1 [0073.596] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.596] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0073.597] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0073.597] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0073.597] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.597] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0073.597] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0073.597] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.597] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.597] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.597] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.597] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.597] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0073.597] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.597] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0073.597] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.597] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0073.597] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.597] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.642] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.642] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.643] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.643] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.648] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.648] CloseHandle (hObject=0x1e0) returned 1 [0073.648] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.protected") returned 82 [0073.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll.protected")) returned 1 [0073.649] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0073.649] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0073.649] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0073.649] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0073.649] lstrlenA (lpString="EMPTY") returned 5 [0073.649] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0073.650] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0073.650] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0073.650] CloseHandle (hObject=0x1dc) returned 1 [0073.650] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0073.650] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0073.650] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0073.650] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0073.650] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0073.650] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0073.650] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082") returned 51 [0073.650] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0073.650] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0073.650] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*") returned 53 [0073.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0073.723] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0073.723] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0073.723] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0073.723] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0073.723] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0073.723] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\.") returned 53 [0073.723] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.723] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.732] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0073.732] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0073.732] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0073.732] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0073.732] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0073.732] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\..") returned 54 [0073.732] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.732] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.732] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.732] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0073.732] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0073.732] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0073.732] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.732] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0073.732] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0073.732] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.732] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0073.732] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.732] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.733] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0073.733] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.733] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0073.733] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.733] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0073.733] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.733] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.757] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.758] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.758] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.758] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.759] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.759] CloseHandle (hObject=0x1e0) returned 1 [0073.760] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.protected") returned 82 [0073.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll.protected")) returned 1 [0073.760] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.760] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0073.760] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0073.760] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0073.760] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.760] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0073.760] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0073.760] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.761] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0073.761] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.761] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.761] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.761] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0073.761] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.761] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0073.761] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.761] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0073.761] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.761] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.771] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.771] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.772] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.772] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.930] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.930] CloseHandle (hObject=0x1e0) returned 1 [0073.931] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.protected") returned 82 [0073.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll.protected")) returned 1 [0073.931] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.931] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0073.931] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0073.931] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0073.931] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.931] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0073.931] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0073.931] StrStrIW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0073.931] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0073.931] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.932] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.932] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.932] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0073.932] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0073.932] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0073.932] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0073.932] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0073.932] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0073.932] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.944] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.944] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0073.944] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.944] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0073.970] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0073.970] CloseHandle (hObject=0x1e0) returned 1 [0073.971] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.protected") returned 83 [0073.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll.protected")) returned 1 [0073.971] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0073.971] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0073.971] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0073.971] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0073.971] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0073.971] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0073.971] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0073.971] StrStrIW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0073.971] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0073.971] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0073.972] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0073.972] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0073.972] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0073.972] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0073.972] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0073.972] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0073.972] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0073.972] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0073.972] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.052] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.052] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.053] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.053] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.087] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.087] CloseHandle (hObject=0x1e0) returned 1 [0074.088] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.protected") returned 79 [0074.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll.protected")) returned 1 [0074.088] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.088] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0074.089] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0074.089] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.089] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.089] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.089] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0074.089] StrStrIW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.089] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.089] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.089] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.089] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.090] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0074.090] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.090] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0074.090] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.090] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0074.090] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.090] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.169] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.169] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.169] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.169] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.193] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.193] CloseHandle (hObject=0x1e0) returned 1 [0074.194] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.protected") returned 82 [0074.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll.protected")) returned 1 [0074.194] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.194] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0074.194] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0074.194] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.194] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.194] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.194] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0074.194] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.194] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.194] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.194] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.195] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.195] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0074.195] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.195] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0074.195] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.195] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0074.195] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.195] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.204] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.204] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.204] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.204] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.237] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.237] CloseHandle (hObject=0x1e0) returned 1 [0074.238] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.protected") returned 81 [0074.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll.protected")) returned 1 [0074.239] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.239] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0074.239] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0074.239] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.239] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.239] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.239] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0074.239] StrStrIW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.239] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.239] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.239] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.239] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0074.239] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.239] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0074.239] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.239] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0074.239] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.239] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.285] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.285] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.286] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.286] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.308] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.308] CloseHandle (hObject=0x1e0) returned 1 [0074.308] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.protected") returned 82 [0074.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll.protected")) returned 1 [0074.309] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.309] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0074.309] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0074.309] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.309] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.309] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.309] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0074.309] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.309] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.309] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.309] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.309] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.309] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0074.309] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.309] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0074.309] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.309] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0074.309] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.309] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.337] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.337] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.338] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.338] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.380] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.380] CloseHandle (hObject=0x1e0) returned 1 [0074.380] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.protected") returned 81 [0074.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll.protected")) returned 1 [0074.381] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.381] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0074.381] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0074.381] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.381] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.381] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.381] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0074.381] StrStrIW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.381] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.381] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.381] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.381] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0074.381] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.381] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0074.381] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.381] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0074.381] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.381] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.421] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.421] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.423] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.423] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.423] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.423] CloseHandle (hObject=0x1e0) returned 1 [0074.423] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.protected") returned 80 [0074.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll.protected")) returned 1 [0074.424] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.424] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0074.424] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0074.424] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.424] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.424] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.424] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0074.424] StrStrIW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.424] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.424] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.424] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.424] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.424] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0074.425] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.425] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0074.425] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.425] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0074.425] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.425] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.426] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.426] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.427] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.427] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.463] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.463] CloseHandle (hObject=0x1e0) returned 1 [0074.464] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.protected") returned 81 [0074.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll.protected")) returned 1 [0074.464] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.464] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0074.464] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0074.464] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.464] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.464] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.465] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0074.465] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.465] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.465] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.465] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.465] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0074.465] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.465] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0074.465] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.465] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0074.465] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.465] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.466] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.466] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.467] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.467] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.511] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.511] CloseHandle (hObject=0x1e0) returned 1 [0074.511] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.protected") returned 82 [0074.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll.protected")) returned 1 [0074.512] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.512] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0074.512] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0074.512] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.512] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.512] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.512] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0074.512] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.512] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.512] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.512] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.512] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.512] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0074.512] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.512] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0074.512] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.512] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0074.512] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.512] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.556] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.556] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.557] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.557] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.587] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.588] CloseHandle (hObject=0x1e0) returned 1 [0074.589] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.protected") returned 83 [0074.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll.protected")) returned 1 [0074.590] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.590] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0074.590] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0074.590] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.590] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.590] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.590] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0074.590] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.590] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.590] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.590] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.590] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0074.590] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0074.590] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.591] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0074.591] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.591] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.598] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.598] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.599] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.599] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.599] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.599] CloseHandle (hObject=0x1e0) returned 1 [0074.599] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.protected") returned 81 [0074.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll.protected")) returned 1 [0074.600] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.600] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0074.600] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0074.600] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.600] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.600] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.600] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0074.600] StrStrIW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.600] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.600] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.600] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.600] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0074.600] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.600] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0074.600] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.600] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0074.600] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.600] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.620] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.621] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.621] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.621] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.622] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.622] CloseHandle (hObject=0x1e0) returned 1 [0074.622] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.protected") returned 80 [0074.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll.protected")) returned 1 [0074.623] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.623] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0074.623] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0074.623] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0074.623] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.623] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.623] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0074.623] StrStrIW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.623] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.623] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.623] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.623] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.623] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0074.623] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.623] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0074.623] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.623] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0074.623] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.623] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.635] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.635] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.636] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.636] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.638] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.638] CloseHandle (hObject=0x1e0) returned 1 [0074.638] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.protected") returned 81 [0074.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll.protected")) returned 1 [0074.639] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.639] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0074.639] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0074.639] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0074.639] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.639] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.639] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0074.639] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.639] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.639] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.639] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.639] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.639] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0074.639] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.639] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0074.639] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.639] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0074.640] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.640] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.799] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.799] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.799] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.799] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.800] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.800] CloseHandle (hObject=0x1e0) returned 1 [0074.816] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.protected") returned 82 [0074.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll.protected")) returned 1 [0074.817] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.817] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0074.817] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0074.817] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0074.817] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.817] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.817] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0074.817] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.817] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.817] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.817] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.817] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.817] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0074.817] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.817] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0074.817] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.817] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0074.817] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.817] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.833] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.833] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.834] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.834] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.844] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.845] CloseHandle (hObject=0x1e0) returned 1 [0074.845] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.protected") returned 83 [0074.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll.protected")) returned 1 [0074.846] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.846] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0074.846] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0074.846] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0074.846] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.846] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0074.846] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0074.846] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".protected") returned 0x0 [0074.846] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.846] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.846] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.846] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.846] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0074.846] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0074.846] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0074.846] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".rar") returned 0x0 [0074.846] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0074.846] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".zip") returned 0x0 [0074.846] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.916] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.916] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.917] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.917] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.918] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.918] CloseHandle (hObject=0x1e0) returned 1 [0074.919] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.protected") returned 83 [0074.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll.protected")) returned 1 [0074.920] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.920] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0074.920] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0074.920] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0074.920] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.920] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.920] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0074.920] StrStrIW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.920] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.920] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.920] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.921] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.921] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0074.921] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.921] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0074.921] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.921] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0074.921] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.921] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.940] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.940] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.941] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.941] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.949] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.949] CloseHandle (hObject=0x1e0) returned 1 [0074.949] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.protected") returned 79 [0074.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll.protected")) returned 1 [0074.950] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.950] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0074.950] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0074.950] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0074.950] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.950] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0074.950] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0074.950] StrStrIW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.950] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.950] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.951] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.951] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0074.951] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0074.951] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0074.951] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.951] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.983] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.983] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0074.984] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.984] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0074.984] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0074.984] CloseHandle (hObject=0x1e0) returned 1 [0074.985] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.protected") returned 80 [0074.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll.protected")) returned 1 [0074.985] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0074.985] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0074.985] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0074.986] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0074.986] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0074.986] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0074.986] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0074.986] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0074.986] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0074.986] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0074.986] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0074.986] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0074.986] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0074.986] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0074.986] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0074.986] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0074.986] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0074.986] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0074.986] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.000] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.000] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.001] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.001] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.001] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.001] CloseHandle (hObject=0x1e0) returned 1 [0075.002] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.protected") returned 82 [0075.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll.protected")) returned 1 [0075.003] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.003] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0075.003] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0075.003] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0075.003] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0075.003] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0075.003] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0075.003] StrStrIW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0075.003] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.003] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.003] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.003] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0075.003] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0075.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0075.003] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0075.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0075.003] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0075.003] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.047] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.047] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.048] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.048] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.059] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.059] CloseHandle (hObject=0x1e0) returned 1 [0075.060] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.protected") returned 81 [0075.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll.protected")) returned 1 [0075.061] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.061] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0075.061] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0075.061] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0075.061] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0075.061] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0075.061] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0075.061] StrStrIW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0075.061] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.061] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.061] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.061] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.061] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0075.061] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0075.061] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0075.061] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0075.061] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0075.061] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0075.061] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.093] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.093] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.094] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.094] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.111] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.111] CloseHandle (hObject=0x1e0) returned 1 [0075.111] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.protected") returned 80 [0075.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll.protected")) returned 1 [0075.112] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.112] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0075.112] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0075.112] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0075.112] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0075.112] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0075.112] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0075.112] StrStrIW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".protected") returned 0x0 [0075.112] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.112] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.112] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.112] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.113] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0075.113] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0075.113] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0075.113] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".rar") returned 0x0 [0075.113] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0075.113] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".zip") returned 0x0 [0075.113] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.158] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.158] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.159] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.159] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.187] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.187] CloseHandle (hObject=0x1e0) returned 1 [0075.188] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.protected") returned 81 [0075.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll.protected")) returned 1 [0075.188] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.188] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0075.188] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0075.188] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0075.189] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0075.189] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0075.189] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0075.189] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0075.189] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.189] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.189] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.189] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.189] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0075.189] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0075.189] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0075.189] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0075.189] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0075.189] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0075.189] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.236] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.236] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.237] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.237] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.313] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.313] CloseHandle (hObject=0x1e0) returned 1 [0075.314] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.protected") returned 82 [0075.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll.protected")) returned 1 [0075.315] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.315] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0075.315] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0075.315] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0075.315] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0075.315] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0075.315] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0075.315] StrStrIW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".protected") returned 0x0 [0075.315] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.315] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.315] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.315] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0075.315] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0075.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0075.315] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".rar") returned 0x0 [0075.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0075.315] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".zip") returned 0x0 [0075.315] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.317] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.317] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.317] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.317] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.386] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.386] CloseHandle (hObject=0x1e0) returned 1 [0075.386] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.protected") returned 83 [0075.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll.protected")) returned 1 [0075.387] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.387] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0075.387] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0075.387] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0075.387] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0075.387] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0075.387] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0075.387] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".protected") returned 0x0 [0075.387] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.387] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.387] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.388] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0075.388] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0075.388] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0075.388] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".rar") returned 0x0 [0075.388] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0075.388] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".zip") returned 0x0 [0075.388] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.418] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.418] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.419] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.419] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.428] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.428] CloseHandle (hObject=0x1e0) returned 1 [0075.428] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.protected") returned 82 [0075.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.protected" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll.protected")) returned 1 [0075.429] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0075.429] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0075.429] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0075.429] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.430] lstrlenA (lpString="EMPTY") returned 5 [0075.430] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0075.430] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.430] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0075.430] CloseHandle (hObject=0x1dc) returned 1 [0075.431] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.431] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.431] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 76 [0075.431] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.431] lstrlenA (lpString="EMPTY") returned 5 [0075.431] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.432] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.432] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.432] CloseHandle (hObject=0x1d8) returned 1 [0075.432] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.432] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.432] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 65 [0075.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\office\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.433] lstrlenA (lpString="EMPTY") returned 5 [0075.433] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.433] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.433] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.434] CloseHandle (hObject=0x1d4) returned 1 [0075.434] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.434] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0075.434] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files") returned -1 [0075.434] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files (x86)") returned -1 [0075.434] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0075.434] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0075.434] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 61 [0075.434] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0075.434] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0075.434] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned 63 [0075.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.435] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.435] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.435] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.435] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.435] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.435] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\.") returned 63 [0075.435] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.435] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.435] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.435] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.435] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.435] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.435] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.435] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\..") returned 64 [0075.435] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.435] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.435] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.435] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0075.435] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0075.435] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0075.435] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0075.435] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0075.435] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 67 [0075.435] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0075.435] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0075.435] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned 69 [0075.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.435] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.435] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.435] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.435] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.435] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.435] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\.") returned 69 [0075.435] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.435] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.436] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.436] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.436] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.436] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.436] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.436] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\..") returned 70 [0075.436] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.436] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.436] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.436] lstrcmpiW (lpString1="cache.dat", lpString2="Windows") returned -1 [0075.436] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files") returned -1 [0075.436] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files (x86)") returned -1 [0075.436] lstrcmpiW (lpString1="cache.dat", lpString2="$Recycle.bin") returned 1 [0075.436] lstrcmpiW (lpString1="cache.dat", lpString2="System Volume Information") returned -1 [0075.436] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0075.436] StrStrIW (lpFirst="cache.dat", lpSrch=".protected") returned 0x0 [0075.436] lstrcmpW (lpString1="cache.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0075.436] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.436] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.436] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0075.436] StrStrW (lpFirst="cache.dat", lpSrch=".txt") returned 0x0 [0075.436] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0075.436] StrStrW (lpFirst="cache.dat", lpSrch=".rar") returned 0x0 [0075.436] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0075.436] StrStrW (lpFirst="cache.dat", lpSrch=".zip") returned 0x0 [0075.436] ReadFile (in: hFile=0x1dc, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0075.519] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.519] WriteFile (in: hFile=0x1dc, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0075.520] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.520] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0075.555] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0075.555] CloseHandle (hObject=0x1dc) returned 1 [0075.556] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.protected") returned 87 [0075.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.protected" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.protected")) returned 1 [0075.561] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.562] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.562] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 97 [0075.562] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.562] lstrlenA (lpString="EMPTY") returned 5 [0075.562] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.563] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.563] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.563] CloseHandle (hObject=0x1d8) returned 1 [0075.563] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.564] lstrcmpiW (lpString1="tokens.dat", lpString2="Windows") returned -1 [0075.564] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files") returned 1 [0075.564] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files (x86)") returned 1 [0075.564] lstrcmpiW (lpString1="tokens.dat", lpString2="$Recycle.bin") returned 1 [0075.564] lstrcmpiW (lpString1="tokens.dat", lpString2="System Volume Information") returned 1 [0075.564] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0075.564] StrStrIW (lpFirst="tokens.dat", lpSrch=".protected") returned 0x0 [0075.564] lstrcmpW (lpString1="tokens.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.564] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0075.564] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0075.564] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0075.564] StrStrW (lpFirst="tokens.dat", lpSrch=".txt") returned 0x0 [0075.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0075.564] StrStrW (lpFirst="tokens.dat", lpSrch=".rar") returned 0x0 [0075.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0075.564] StrStrW (lpFirst="tokens.dat", lpSrch=".zip") returned 0x0 [0075.564] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0075.586] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.586] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0075.586] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.586] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0075.589] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0075.589] CloseHandle (hObject=0x1d8) returned 1 [0075.590] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.protected") returned 82 [0075.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.protected" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.protected")) returned 1 [0075.592] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.592] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.592] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 91 [0075.592] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.593] lstrlenA (lpString="EMPTY") returned 5 [0075.593] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.594] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.594] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.594] CloseHandle (hObject=0x1d4) returned 1 [0075.594] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.594] lstrcmpiW (lpString1="RAC", lpString2="Windows") returned -1 [0075.594] lstrcmpiW (lpString1="RAC", lpString2="Program Files") returned 1 [0075.594] lstrcmpiW (lpString1="RAC", lpString2="Program Files (x86)") returned 1 [0075.594] lstrcmpiW (lpString1="RAC", lpString2="$Recycle.bin") returned 1 [0075.594] lstrcmpiW (lpString1="RAC", lpString2="System Volume Information") returned -1 [0075.594] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned 32 [0075.594] lstrcmpW (lpString1="RAC", lpString2=".") returned 1 [0075.594] lstrcmpW (lpString1="RAC", lpString2="..") returned 1 [0075.594] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*") returned 34 [0075.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.595] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.595] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.595] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.596] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\.") returned 34 [0075.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.597] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.597] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.597] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.597] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.597] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.597] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.597] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\..") returned 35 [0075.597] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.597] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.597] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.597] lstrcmpiW (lpString1="Outbound", lpString2="Windows") returned -1 [0075.597] lstrcmpiW (lpString1="Outbound", lpString2="Program Files") returned -1 [0075.597] lstrcmpiW (lpString1="Outbound", lpString2="Program Files (x86)") returned -1 [0075.597] lstrcmpiW (lpString1="Outbound", lpString2="$Recycle.bin") returned 1 [0075.597] lstrcmpiW (lpString1="Outbound", lpString2="System Volume Information") returned -1 [0075.597] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned 41 [0075.597] lstrcmpW (lpString1="Outbound", lpString2=".") returned 1 [0075.597] lstrcmpW (lpString1="Outbound", lpString2="..") returned 1 [0075.597] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*") returned 43 [0075.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.597] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.597] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.597] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.597] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.597] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.597] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\.") returned 43 [0075.597] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.597] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.598] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.598] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.598] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.598] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.598] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.598] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\..") returned 44 [0075.598] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.598] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.598] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.598] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.598] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 71 [0075.598] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.599] lstrlenA (lpString="EMPTY") returned 5 [0075.599] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.601] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.601] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.601] CloseHandle (hObject=0x1d8) returned 1 [0075.602] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.602] lstrcmpiW (lpString1="PublishedData", lpString2="Windows") returned -1 [0075.602] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files") returned 1 [0075.602] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files (x86)") returned 1 [0075.602] lstrcmpiW (lpString1="PublishedData", lpString2="$Recycle.bin") returned 1 [0075.602] lstrcmpiW (lpString1="PublishedData", lpString2="System Volume Information") returned -1 [0075.602] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned 46 [0075.602] lstrcmpW (lpString1="PublishedData", lpString2=".") returned 1 [0075.602] lstrcmpW (lpString1="PublishedData", lpString2="..") returned 1 [0075.602] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*") returned 48 [0075.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.602] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.602] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.602] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.602] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.602] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.602] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\.") returned 48 [0075.602] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.602] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.602] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.602] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.602] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.602] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.602] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.603] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\..") returned 49 [0075.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.603] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.603] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Windows") returned -1 [0075.603] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files") returned 1 [0075.603] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0075.603] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0075.603] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="System Volume Information") returned -1 [0075.603] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 65 [0075.603] StrStrIW (lpFirst="RacWmiDatabase.sdf", lpSrch=".protected") returned 0x0 [0075.603] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.603] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.603] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.603] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.603] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.603] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.603] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 76 [0075.603] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.604] lstrlenA (lpString="EMPTY") returned 5 [0075.604] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.608] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.608] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.609] CloseHandle (hObject=0x1d8) returned 1 [0075.610] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.610] lstrcmpiW (lpString1="StateData", lpString2="Windows") returned -1 [0075.610] lstrcmpiW (lpString1="StateData", lpString2="Program Files") returned 1 [0075.610] lstrcmpiW (lpString1="StateData", lpString2="Program Files (x86)") returned 1 [0075.610] lstrcmpiW (lpString1="StateData", lpString2="$Recycle.bin") returned 1 [0075.610] lstrcmpiW (lpString1="StateData", lpString2="System Volume Information") returned -1 [0075.610] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned 42 [0075.610] lstrcmpW (lpString1="StateData", lpString2=".") returned 1 [0075.610] lstrcmpW (lpString1="StateData", lpString2="..") returned 1 [0075.610] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*") returned 44 [0075.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.610] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\.") returned 44 [0075.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.610] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.610] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\..") returned 45 [0075.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.610] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.610] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Windows") returned -1 [0075.610] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files") returned 1 [0075.610] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0075.610] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0075.610] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="System Volume Information") returned -1 [0075.610] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 58 [0075.610] StrStrIW (lpFirst="RacDatabase.sdf", lpSrch=".protected") returned 0x0 [0075.610] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.611] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.611] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.611] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.611] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Windows") returned -1 [0075.611] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files") returned 1 [0075.611] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files (x86)") returned 1 [0075.611] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$Recycle.bin") returned 1 [0075.611] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="System Volume Information") returned -1 [0075.611] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 58 [0075.611] StrStrIW (lpFirst="RacMetaData.dat", lpSrch=".protected") returned 0x0 [0075.611] lstrcmpW (lpString1="RacMetaData.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.611] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.611] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.611] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.611] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="Windows") returned -1 [0075.611] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="Program Files") returned 1 [0075.611] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="Program Files (x86)") returned 1 [0075.611] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="$Recycle.bin") returned 1 [0075.611] lstrcmpiW (lpString1="RacWmiDataBookmarks.dat", lpString2="System Volume Information") returned -1 [0075.611] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0075.611] StrStrIW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".protected") returned 0x0 [0075.611] lstrcmpW (lpString1="RacWmiDataBookmarks.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.611] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.611] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0075.612] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".txt") returned 0x0 [0075.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0075.612] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".rar") returned 0x0 [0075.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0075.612] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".zip") returned 0x0 [0075.612] ReadFile (in: hFile=0x1dc, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0075.618] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.618] WriteFile (in: hFile=0x1dc, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0075.619] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.619] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0075.619] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0075.619] CloseHandle (hObject=0x1dc) returned 1 [0075.619] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.protected") returned 76 [0075.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.protected" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat.protected")) returned 1 [0075.620] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.620] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Windows") returned -1 [0075.620] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Program Files") returned 1 [0075.620] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="Program Files (x86)") returned 1 [0075.620] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="$Recycle.bin") returned 1 [0075.620] lstrcmpiW (lpString1="RacWmiEventData.dat", lpString2="System Volume Information") returned -1 [0075.620] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat") returned 62 [0075.620] StrStrIW (lpFirst="RacWmiEventData.dat", lpSrch=".protected") returned 0x0 [0075.620] lstrcmpW (lpString1="RacWmiEventData.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.620] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.620] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.620] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.620] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.620] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.621] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 72 [0075.621] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.621] lstrlenA (lpString="EMPTY") returned 5 [0075.621] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.624] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.624] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.624] CloseHandle (hObject=0x1d8) returned 1 [0075.624] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.624] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0075.624] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0075.624] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0075.624] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0075.624] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0075.624] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned 37 [0075.624] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0075.624] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0075.624] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*") returned 39 [0075.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.625] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.625] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.625] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.625] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.625] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\.") returned 39 [0075.625] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.625] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.625] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.625] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.625] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.625] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\..") returned 40 [0075.625] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.625] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.625] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.625] lstrcmpiW (lpString1="sql2220.tmp", lpString2="Windows") returned -1 [0075.625] lstrcmpiW (lpString1="sql2220.tmp", lpString2="Program Files") returned 1 [0075.625] lstrcmpiW (lpString1="sql2220.tmp", lpString2="Program Files (x86)") returned 1 [0075.625] lstrcmpiW (lpString1="sql2220.tmp", lpString2="$Recycle.bin") returned 1 [0075.625] lstrcmpiW (lpString1="sql2220.tmp", lpString2="System Volume Information") returned -1 [0075.625] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2220.tmp") returned 49 [0075.625] StrStrIW (lpFirst="sql2220.tmp", lpSrch=".protected") returned 0x0 [0075.626] lstrcmpW (lpString1="sql2220.tmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.627] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.627] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2220.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2220.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.627] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.627] lstrcmpiW (lpString1="sql2230.tmp", lpString2="Windows") returned -1 [0075.627] lstrcmpiW (lpString1="sql2230.tmp", lpString2="Program Files") returned 1 [0075.627] lstrcmpiW (lpString1="sql2230.tmp", lpString2="Program Files (x86)") returned 1 [0075.627] lstrcmpiW (lpString1="sql2230.tmp", lpString2="$Recycle.bin") returned 1 [0075.627] lstrcmpiW (lpString1="sql2230.tmp", lpString2="System Volume Information") returned -1 [0075.627] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2230.tmp") returned 49 [0075.627] StrStrIW (lpFirst="sql2230.tmp", lpSrch=".protected") returned 0x0 [0075.627] lstrcmpW (lpString1="sql2230.tmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.627] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.627] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2230.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2230.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.627] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.627] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.627] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 67 [0075.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.628] lstrlenA (lpString="EMPTY") returned 5 [0075.628] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.628] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.628] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.628] CloseHandle (hObject=0x1d8) returned 1 [0075.629] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.629] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.629] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 62 [0075.629] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\rac\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.752] lstrlenA (lpString="EMPTY") returned 5 [0075.753] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.753] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.753] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.754] CloseHandle (hObject=0x1d4) returned 1 [0075.754] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.754] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0075.754] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0075.754] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0075.754] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0075.754] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0075.754] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0075.754] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0075.754] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0075.754] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned 37 [0075.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.755] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.755] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.755] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.755] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.755] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.755] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\.") returned 37 [0075.755] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.755] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.755] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.755] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.755] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.755] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.755] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.755] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\..") returned 38 [0075.755] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.755] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.755] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.756] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0075.756] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0075.756] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0075.756] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0075.756] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0075.756] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0075.756] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0075.756] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0075.756] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned 42 [0075.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.756] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.756] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.756] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.756] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.756] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.756] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\.") returned 42 [0075.756] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.756] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.756] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.756] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.756] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.756] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.756] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.756] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\..") returned 43 [0075.756] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.756] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.756] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.756] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0075.757] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0075.757] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0075.757] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0075.757] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0075.757] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0075.757] lstrcmpW (lpString1="Applications", lpString2=".") returned 1 [0075.757] lstrcmpW (lpString1="Applications", lpString2="..") returned 1 [0075.757] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned 55 [0075.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0075.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.757] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.757] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.758] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.758] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.758] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\.") returned 55 [0075.758] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.758] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.758] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.758] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.758] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.758] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.758] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.758] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\..") returned 56 [0075.758] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.758] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.758] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.758] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0075.758] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0075.758] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0075.758] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 83 [0075.758] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.758] lstrlenA (lpString="EMPTY") returned 5 [0075.758] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0075.759] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.759] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0075.759] CloseHandle (hObject=0x1dc) returned 1 [0075.760] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.760] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0075.760] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0075.760] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0075.761] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0075.761] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0075.761] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0075.761] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0075.761] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0075.761] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned 47 [0075.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0075.761] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.761] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.761] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.761] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.761] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.761] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\.") returned 47 [0075.761] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.761] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.761] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.761] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.761] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.761] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.761] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\..") returned 48 [0075.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.761] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0075.761] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0075.761] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 75 [0075.762] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.762] lstrlenA (lpString="EMPTY") returned 5 [0075.762] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0075.763] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.763] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0075.763] CloseHandle (hObject=0x1dc) returned 1 [0075.763] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.763] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.764] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 70 [0075.764] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.764] lstrlenA (lpString="EMPTY") returned 5 [0075.764] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.765] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.765] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.765] CloseHandle (hObject=0x1d8) returned 1 [0075.765] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.765] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.765] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 65 [0075.765] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\search\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.766] lstrlenA (lpString="EMPTY") returned 5 [0075.766] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.767] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.767] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.767] CloseHandle (hObject=0x1d4) returned 1 [0075.767] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.767] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0075.767] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0075.767] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0075.767] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0075.767] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0075.767] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0075.767] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0075.767] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0075.767] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned 52 [0075.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.767] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.767] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.767] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.767] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.767] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.767] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\.") returned 52 [0075.767] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.767] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.767] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.767] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.768] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.768] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.768] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.768] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\..") returned 53 [0075.768] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.768] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.768] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Windows") returned -1 [0075.768] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files") returned -1 [0075.768] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files (x86)") returned -1 [0075.768] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$Recycle.bin") returned 1 [0075.768] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="System Volume Information") returned -1 [0075.768] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0075.768] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".protected") returned 0x0 [0075.768] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0075.768] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0075.768] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0075.768] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.769] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0075.769] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".txt") returned 0x0 [0075.769] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0075.769] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".rar") returned 0x0 [0075.769] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0075.769] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".zip") returned 0x0 [0075.769] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x0, lpOverlapped=0x0) returned 1 [0075.769] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.769] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x0, lpOverlapped=0x0) returned 1 [0075.769] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.769] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0075.770] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0075.770] CloseHandle (hObject=0x1d8) returned 1 [0075.770] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.protected") returned 85 [0075.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.protected" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat.protected")) returned 1 [0075.771] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.771] lstrcmpiW (lpString1="Default Pictures", lpString2="Windows") returned -1 [0075.771] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files") returned -1 [0075.771] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files (x86)") returned -1 [0075.771] lstrcmpiW (lpString1="Default Pictures", lpString2="$Recycle.bin") returned 1 [0075.771] lstrcmpiW (lpString1="Default Pictures", lpString2="System Volume Information") returned -1 [0075.771] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned 67 [0075.771] lstrcmpW (lpString1="Default Pictures", lpString2=".") returned 1 [0075.771] lstrcmpW (lpString1="Default Pictures", lpString2="..") returned 1 [0075.771] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned 69 [0075.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.793] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.793] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.793] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.793] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.793] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.793] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\.") returned 69 [0075.793] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.793] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.793] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.793] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.793] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.793] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.793] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.793] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\..") returned 70 [0075.793] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.793] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.793] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.793] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Windows") returned -1 [0075.793] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files") returned 1 [0075.793] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files (x86)") returned 1 [0075.793] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$Recycle.bin") returned 1 [0075.793] lstrcmpiW (lpString1="usertile10.bmp", lpString2="System Volume Information") returned 1 [0075.794] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 82 [0075.794] StrStrIW (lpFirst="usertile10.bmp", lpSrch=".protected") returned 0x0 [0075.794] lstrcmpW (lpString1="usertile10.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.794] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.794] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.794] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.794] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.795] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Windows") returned -1 [0075.795] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files") returned 1 [0075.795] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files (x86)") returned 1 [0075.795] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$Recycle.bin") returned 1 [0075.795] lstrcmpiW (lpString1="usertile11.bmp", lpString2="System Volume Information") returned 1 [0075.795] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 82 [0075.795] StrStrIW (lpFirst="usertile11.bmp", lpSrch=".protected") returned 0x0 [0075.795] lstrcmpW (lpString1="usertile11.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.795] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.795] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.795] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.795] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.795] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Windows") returned -1 [0075.795] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files") returned 1 [0075.795] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files (x86)") returned 1 [0075.795] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$Recycle.bin") returned 1 [0075.795] lstrcmpiW (lpString1="usertile12.bmp", lpString2="System Volume Information") returned 1 [0075.795] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 82 [0075.795] StrStrIW (lpFirst="usertile12.bmp", lpSrch=".protected") returned 0x0 [0075.795] lstrcmpW (lpString1="usertile12.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.795] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.795] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.795] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.795] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.795] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Windows") returned -1 [0075.795] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files") returned 1 [0075.795] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files (x86)") returned 1 [0075.795] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$Recycle.bin") returned 1 [0075.795] lstrcmpiW (lpString1="usertile13.bmp", lpString2="System Volume Information") returned 1 [0075.796] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 82 [0075.796] StrStrIW (lpFirst="usertile13.bmp", lpSrch=".protected") returned 0x0 [0075.796] lstrcmpW (lpString1="usertile13.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.796] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.796] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.796] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.796] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.796] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Windows") returned -1 [0075.796] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files") returned 1 [0075.796] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files (x86)") returned 1 [0075.796] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$Recycle.bin") returned 1 [0075.796] lstrcmpiW (lpString1="usertile14.bmp", lpString2="System Volume Information") returned 1 [0075.796] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 82 [0075.796] StrStrIW (lpFirst="usertile14.bmp", lpSrch=".protected") returned 0x0 [0075.796] lstrcmpW (lpString1="usertile14.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.796] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.796] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.796] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.797] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.797] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Windows") returned -1 [0075.797] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files") returned 1 [0075.797] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files (x86)") returned 1 [0075.797] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$Recycle.bin") returned 1 [0075.797] lstrcmpiW (lpString1="usertile15.bmp", lpString2="System Volume Information") returned 1 [0075.797] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 82 [0075.797] StrStrIW (lpFirst="usertile15.bmp", lpSrch=".protected") returned 0x0 [0075.797] lstrcmpW (lpString1="usertile15.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.797] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.797] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.797] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.797] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.797] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Windows") returned -1 [0075.797] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files") returned 1 [0075.797] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files (x86)") returned 1 [0075.797] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$Recycle.bin") returned 1 [0075.797] lstrcmpiW (lpString1="usertile16.bmp", lpString2="System Volume Information") returned 1 [0075.797] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 82 [0075.797] StrStrIW (lpFirst="usertile16.bmp", lpSrch=".protected") returned 0x0 [0075.797] lstrcmpW (lpString1="usertile16.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.797] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.798] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.798] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.798] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.798] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Windows") returned -1 [0075.798] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files") returned 1 [0075.798] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files (x86)") returned 1 [0075.798] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$Recycle.bin") returned 1 [0075.798] lstrcmpiW (lpString1="usertile17.bmp", lpString2="System Volume Information") returned 1 [0075.798] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 82 [0075.798] StrStrIW (lpFirst="usertile17.bmp", lpSrch=".protected") returned 0x0 [0075.798] lstrcmpW (lpString1="usertile17.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.798] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.798] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.798] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.798] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.798] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Windows") returned -1 [0075.798] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files") returned 1 [0075.798] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files (x86)") returned 1 [0075.798] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$Recycle.bin") returned 1 [0075.798] lstrcmpiW (lpString1="usertile18.bmp", lpString2="System Volume Information") returned 1 [0075.798] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 82 [0075.798] StrStrIW (lpFirst="usertile18.bmp", lpSrch=".protected") returned 0x0 [0075.798] lstrcmpW (lpString1="usertile18.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.798] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.798] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.798] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.799] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.799] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Windows") returned -1 [0075.799] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files") returned 1 [0075.799] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files (x86)") returned 1 [0075.799] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$Recycle.bin") returned 1 [0075.799] lstrcmpiW (lpString1="usertile19.bmp", lpString2="System Volume Information") returned 1 [0075.799] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 82 [0075.799] StrStrIW (lpFirst="usertile19.bmp", lpSrch=".protected") returned 0x0 [0075.799] lstrcmpW (lpString1="usertile19.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.799] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.799] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.799] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.800] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.800] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Windows") returned -1 [0075.800] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files") returned 1 [0075.800] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files (x86)") returned 1 [0075.800] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$Recycle.bin") returned 1 [0075.800] lstrcmpiW (lpString1="usertile20.bmp", lpString2="System Volume Information") returned 1 [0075.800] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 82 [0075.800] StrStrIW (lpFirst="usertile20.bmp", lpSrch=".protected") returned 0x0 [0075.800] lstrcmpW (lpString1="usertile20.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.800] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.800] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.800] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.800] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.800] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Windows") returned -1 [0075.800] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files") returned 1 [0075.800] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files (x86)") returned 1 [0075.800] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$Recycle.bin") returned 1 [0075.800] lstrcmpiW (lpString1="usertile21.bmp", lpString2="System Volume Information") returned 1 [0075.800] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 82 [0075.800] StrStrIW (lpFirst="usertile21.bmp", lpSrch=".protected") returned 0x0 [0075.800] lstrcmpW (lpString1="usertile21.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.800] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.800] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.800] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.801] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.801] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Windows") returned -1 [0075.801] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files") returned 1 [0075.801] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files (x86)") returned 1 [0075.801] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$Recycle.bin") returned 1 [0075.801] lstrcmpiW (lpString1="usertile22.bmp", lpString2="System Volume Information") returned 1 [0075.801] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 82 [0075.801] StrStrIW (lpFirst="usertile22.bmp", lpSrch=".protected") returned 0x0 [0075.801] lstrcmpW (lpString1="usertile22.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.801] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.801] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.801] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.801] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.801] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Windows") returned -1 [0075.802] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files") returned 1 [0075.802] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files (x86)") returned 1 [0075.802] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$Recycle.bin") returned 1 [0075.802] lstrcmpiW (lpString1="usertile23.bmp", lpString2="System Volume Information") returned 1 [0075.802] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 82 [0075.802] StrStrIW (lpFirst="usertile23.bmp", lpSrch=".protected") returned 0x0 [0075.802] lstrcmpW (lpString1="usertile23.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.802] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.802] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.802] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.802] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.802] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Windows") returned -1 [0075.802] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files") returned 1 [0075.802] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files (x86)") returned 1 [0075.802] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$Recycle.bin") returned 1 [0075.802] lstrcmpiW (lpString1="usertile24.bmp", lpString2="System Volume Information") returned 1 [0075.802] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 82 [0075.802] StrStrIW (lpFirst="usertile24.bmp", lpSrch=".protected") returned 0x0 [0075.802] lstrcmpW (lpString1="usertile24.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.802] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.802] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.802] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.802] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.802] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Windows") returned -1 [0075.802] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files") returned 1 [0075.802] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files (x86)") returned 1 [0075.802] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$Recycle.bin") returned 1 [0075.803] lstrcmpiW (lpString1="usertile25.bmp", lpString2="System Volume Information") returned 1 [0075.803] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 82 [0075.803] StrStrIW (lpFirst="usertile25.bmp", lpSrch=".protected") returned 0x0 [0075.803] lstrcmpW (lpString1="usertile25.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.803] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.803] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.803] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.803] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.803] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Windows") returned -1 [0075.803] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files") returned 1 [0075.803] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files (x86)") returned 1 [0075.803] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$Recycle.bin") returned 1 [0075.803] lstrcmpiW (lpString1="usertile26.bmp", lpString2="System Volume Information") returned 1 [0075.803] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 82 [0075.803] StrStrIW (lpFirst="usertile26.bmp", lpSrch=".protected") returned 0x0 [0075.803] lstrcmpW (lpString1="usertile26.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.803] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.803] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.803] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.804] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.804] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Windows") returned -1 [0075.804] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files") returned 1 [0075.804] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files (x86)") returned 1 [0075.804] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$Recycle.bin") returned 1 [0075.804] lstrcmpiW (lpString1="usertile27.bmp", lpString2="System Volume Information") returned 1 [0075.804] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 82 [0075.804] StrStrIW (lpFirst="usertile27.bmp", lpSrch=".protected") returned 0x0 [0075.804] lstrcmpW (lpString1="usertile27.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.804] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.804] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.804] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.804] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Windows") returned -1 [0075.804] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files") returned 1 [0075.804] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files (x86)") returned 1 [0075.804] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$Recycle.bin") returned 1 [0075.804] lstrcmpiW (lpString1="usertile28.bmp", lpString2="System Volume Information") returned 1 [0075.804] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 82 [0075.804] StrStrIW (lpFirst="usertile28.bmp", lpSrch=".protected") returned 0x0 [0075.805] lstrcmpW (lpString1="usertile28.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.805] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.805] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.805] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.805] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.805] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Windows") returned -1 [0075.805] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files") returned 1 [0075.805] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files (x86)") returned 1 [0075.805] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$Recycle.bin") returned 1 [0075.805] lstrcmpiW (lpString1="usertile29.bmp", lpString2="System Volume Information") returned 1 [0075.805] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 82 [0075.805] StrStrIW (lpFirst="usertile29.bmp", lpSrch=".protected") returned 0x0 [0075.805] lstrcmpW (lpString1="usertile29.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.805] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.805] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.805] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.805] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.805] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Windows") returned -1 [0075.805] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files") returned 1 [0075.805] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files (x86)") returned 1 [0075.805] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$Recycle.bin") returned 1 [0075.805] lstrcmpiW (lpString1="usertile30.bmp", lpString2="System Volume Information") returned 1 [0075.805] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 82 [0075.805] StrStrIW (lpFirst="usertile30.bmp", lpSrch=".protected") returned 0x0 [0075.805] lstrcmpW (lpString1="usertile30.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.805] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.806] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.806] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.806] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.806] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Windows") returned -1 [0075.806] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files") returned 1 [0075.806] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files (x86)") returned 1 [0075.806] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$Recycle.bin") returned 1 [0075.806] lstrcmpiW (lpString1="usertile31.bmp", lpString2="System Volume Information") returned 1 [0075.806] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 82 [0075.806] StrStrIW (lpFirst="usertile31.bmp", lpSrch=".protected") returned 0x0 [0075.806] lstrcmpW (lpString1="usertile31.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.806] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.806] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.807] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.807] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Windows") returned -1 [0075.807] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files") returned 1 [0075.807] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files (x86)") returned 1 [0075.807] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$Recycle.bin") returned 1 [0075.807] lstrcmpiW (lpString1="usertile32.bmp", lpString2="System Volume Information") returned 1 [0075.807] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 82 [0075.807] StrStrIW (lpFirst="usertile32.bmp", lpSrch=".protected") returned 0x0 [0075.807] lstrcmpW (lpString1="usertile32.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.807] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.807] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.807] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.807] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Windows") returned -1 [0075.807] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files") returned 1 [0075.807] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files (x86)") returned 1 [0075.807] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$Recycle.bin") returned 1 [0075.807] lstrcmpiW (lpString1="usertile33.bmp", lpString2="System Volume Information") returned 1 [0075.807] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 82 [0075.807] StrStrIW (lpFirst="usertile33.bmp", lpSrch=".protected") returned 0x0 [0075.807] lstrcmpW (lpString1="usertile33.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.807] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.807] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.808] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.808] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Windows") returned -1 [0075.808] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files") returned 1 [0075.808] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files (x86)") returned 1 [0075.808] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$Recycle.bin") returned 1 [0075.808] lstrcmpiW (lpString1="usertile34.bmp", lpString2="System Volume Information") returned 1 [0075.808] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 82 [0075.808] StrStrIW (lpFirst="usertile34.bmp", lpSrch=".protected") returned 0x0 [0075.808] lstrcmpW (lpString1="usertile34.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.808] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.808] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.808] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.808] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.809] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Windows") returned -1 [0075.809] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files") returned 1 [0075.809] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files (x86)") returned 1 [0075.809] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$Recycle.bin") returned 1 [0075.809] lstrcmpiW (lpString1="usertile35.bmp", lpString2="System Volume Information") returned 1 [0075.809] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 82 [0075.809] StrStrIW (lpFirst="usertile35.bmp", lpSrch=".protected") returned 0x0 [0075.809] lstrcmpW (lpString1="usertile35.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.809] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.809] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.809] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.809] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Windows") returned -1 [0075.809] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files") returned 1 [0075.809] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files (x86)") returned 1 [0075.809] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$Recycle.bin") returned 1 [0075.809] lstrcmpiW (lpString1="usertile36.bmp", lpString2="System Volume Information") returned 1 [0075.809] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 82 [0075.809] StrStrIW (lpFirst="usertile36.bmp", lpSrch=".protected") returned 0x0 [0075.809] lstrcmpW (lpString1="usertile36.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.809] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.809] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.809] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.809] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Windows") returned -1 [0075.810] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files") returned 1 [0075.810] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files (x86)") returned 1 [0075.810] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$Recycle.bin") returned 1 [0075.810] lstrcmpiW (lpString1="usertile37.bmp", lpString2="System Volume Information") returned 1 [0075.810] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 82 [0075.810] StrStrIW (lpFirst="usertile37.bmp", lpSrch=".protected") returned 0x0 [0075.810] lstrcmpW (lpString1="usertile37.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.810] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.810] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.810] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.810] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.810] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Windows") returned -1 [0075.810] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files") returned 1 [0075.810] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files (x86)") returned 1 [0075.810] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$Recycle.bin") returned 1 [0075.810] lstrcmpiW (lpString1="usertile38.bmp", lpString2="System Volume Information") returned 1 [0075.810] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 82 [0075.810] StrStrIW (lpFirst="usertile38.bmp", lpSrch=".protected") returned 0x0 [0075.810] lstrcmpW (lpString1="usertile38.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.810] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.810] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.810] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.811] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.811] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Windows") returned -1 [0075.811] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files") returned 1 [0075.811] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files (x86)") returned 1 [0075.811] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$Recycle.bin") returned 1 [0075.811] lstrcmpiW (lpString1="usertile39.bmp", lpString2="System Volume Information") returned 1 [0075.811] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 82 [0075.811] StrStrIW (lpFirst="usertile39.bmp", lpSrch=".protected") returned 0x0 [0075.811] lstrcmpW (lpString1="usertile39.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.811] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.811] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.811] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.811] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.811] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Windows") returned -1 [0075.811] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files") returned 1 [0075.811] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files (x86)") returned 1 [0075.811] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$Recycle.bin") returned 1 [0075.811] lstrcmpiW (lpString1="usertile40.bmp", lpString2="System Volume Information") returned 1 [0075.811] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 82 [0075.812] StrStrIW (lpFirst="usertile40.bmp", lpSrch=".protected") returned 0x0 [0075.812] lstrcmpW (lpString1="usertile40.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.812] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.812] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.812] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.812] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Windows") returned -1 [0075.812] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files") returned 1 [0075.812] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files (x86)") returned 1 [0075.812] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$Recycle.bin") returned 1 [0075.812] lstrcmpiW (lpString1="usertile41.bmp", lpString2="System Volume Information") returned 1 [0075.812] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 82 [0075.812] StrStrIW (lpFirst="usertile41.bmp", lpSrch=".protected") returned 0x0 [0075.812] lstrcmpW (lpString1="usertile41.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.812] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.812] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.812] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.812] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Windows") returned -1 [0075.812] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files") returned 1 [0075.812] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files (x86)") returned 1 [0075.812] lstrcmpiW (lpString1="usertile42.bmp", lpString2="$Recycle.bin") returned 1 [0075.812] lstrcmpiW (lpString1="usertile42.bmp", lpString2="System Volume Information") returned 1 [0075.812] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 82 [0075.812] StrStrIW (lpFirst="usertile42.bmp", lpSrch=".protected") returned 0x0 [0075.813] lstrcmpW (lpString1="usertile42.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.813] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.813] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.813] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.813] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Windows") returned -1 [0075.813] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Program Files") returned 1 [0075.813] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Program Files (x86)") returned 1 [0075.813] lstrcmpiW (lpString1="usertile43.bmp", lpString2="$Recycle.bin") returned 1 [0075.813] lstrcmpiW (lpString1="usertile43.bmp", lpString2="System Volume Information") returned 1 [0075.813] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 82 [0075.813] StrStrIW (lpFirst="usertile43.bmp", lpSrch=".protected") returned 0x0 [0075.813] lstrcmpW (lpString1="usertile43.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.813] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.813] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.813] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.813] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Windows") returned -1 [0075.813] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Program Files") returned 1 [0075.813] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Program Files (x86)") returned 1 [0075.813] lstrcmpiW (lpString1="usertile44.bmp", lpString2="$Recycle.bin") returned 1 [0075.813] lstrcmpiW (lpString1="usertile44.bmp", lpString2="System Volume Information") returned 1 [0075.813] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 82 [0075.813] StrStrIW (lpFirst="usertile44.bmp", lpSrch=".protected") returned 0x0 [0075.813] lstrcmpW (lpString1="usertile44.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.813] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0075.814] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0075.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.814] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.814] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.814] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 97 [0075.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.816] lstrlenA (lpString="EMPTY") returned 5 [0075.816] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.817] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.817] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.817] CloseHandle (hObject=0x1d8) returned 1 [0075.817] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.817] lstrcmpiW (lpString1="guest.bmp", lpString2="Windows") returned -1 [0075.817] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files") returned -1 [0075.817] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files (x86)") returned -1 [0075.817] lstrcmpiW (lpString1="guest.bmp", lpString2="$Recycle.bin") returned 1 [0075.817] lstrcmpiW (lpString1="guest.bmp", lpString2="System Volume Information") returned -1 [0075.817] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0075.817] StrStrIW (lpFirst="guest.bmp", lpSrch=".protected") returned 0x0 [0075.817] lstrcmpW (lpString1="guest.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0075.817] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0075.817] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0075.817] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0075.818] StrStrW (lpFirst="guest.bmp", lpSrch=".txt") returned 0x0 [0075.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0075.818] StrStrW (lpFirst="guest.bmp", lpSrch=".rar") returned 0x0 [0075.818] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0075.818] StrStrW (lpFirst="guest.bmp", lpSrch=".zip") returned 0x0 [0075.818] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0075.907] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.907] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0075.907] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.907] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0075.907] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0075.908] CloseHandle (hObject=0x1d8) returned 1 [0075.908] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.protected") returned 70 [0075.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.protected" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp.protected")) returned 1 [0075.908] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.908] lstrcmpiW (lpString1="user.bmp", lpString2="Windows") returned -1 [0075.908] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files") returned 1 [0075.908] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files (x86)") returned 1 [0075.908] lstrcmpiW (lpString1="user.bmp", lpString2="$Recycle.bin") returned 1 [0075.909] lstrcmpiW (lpString1="user.bmp", lpString2="System Volume Information") returned 1 [0075.909] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0075.909] StrStrIW (lpFirst="user.bmp", lpSrch=".protected") returned 0x0 [0075.909] lstrcmpW (lpString1="user.bmp", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.909] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0075.909] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0075.909] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.909] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0075.909] StrStrW (lpFirst="user.bmp", lpSrch=".txt") returned 0x0 [0075.909] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0075.909] StrStrW (lpFirst="user.bmp", lpSrch=".rar") returned 0x0 [0075.909] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0075.909] StrStrW (lpFirst="user.bmp", lpSrch=".zip") returned 0x0 [0075.909] ReadFile (in: hFile=0x1d8, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.910] WriteFile (in: hFile=0x1d8, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.910] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0075.910] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0075.910] CloseHandle (hObject=0x1d8) returned 1 [0075.910] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.protected") returned 69 [0075.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.protected" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp.protected")) returned 1 [0075.911] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.911] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.911] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 80 [0075.911] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.912] lstrlenA (lpString="EMPTY") returned 5 [0075.912] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.913] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.913] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.913] CloseHandle (hObject=0x1d4) returned 1 [0075.913] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.913] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0075.913] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0075.913] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0075.913] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0075.913] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0075.913] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0075.913] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0075.913] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0075.914] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned 36 [0075.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.914] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.914] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\.") returned 36 [0075.914] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.914] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.914] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.914] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.914] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.914] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.914] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.914] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\..") returned 37 [0075.914] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.914] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.914] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.914] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.914] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 64 [0075.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\vault\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.915] lstrlenA (lpString="EMPTY") returned 5 [0075.915] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.915] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.915] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.916] CloseHandle (hObject=0x1d4) returned 1 [0075.916] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.916] lstrcmpiW (lpString1="VISIO", lpString2="Windows") returned -1 [0075.916] lstrcmpiW (lpString1="VISIO", lpString2="Program Files") returned 1 [0075.916] lstrcmpiW (lpString1="VISIO", lpString2="Program Files (x86)") returned 1 [0075.916] lstrcmpiW (lpString1="VISIO", lpString2="$Recycle.bin") returned 1 [0075.916] lstrcmpiW (lpString1="VISIO", lpString2="System Volume Information") returned 1 [0075.916] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO") returned 34 [0075.916] lstrcmpW (lpString1="VISIO", lpString2=".") returned 1 [0075.916] lstrcmpW (lpString1="VISIO", lpString2="..") returned 1 [0075.916] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*") returned 36 [0075.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.917] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.917] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.917] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.917] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.917] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.917] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\.") returned 36 [0075.917] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.917] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.917] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.917] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.918] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.918] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.918] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.918] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\..") returned 37 [0075.918] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.918] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.918] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0075.918] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0075.918] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 64 [0075.918] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\visio\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0075.919] lstrlenA (lpString="EMPTY") returned 5 [0075.919] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0075.919] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.919] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0075.920] CloseHandle (hObject=0x1d4) returned 1 [0075.920] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.920] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0075.920] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0075.920] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0075.920] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0075.920] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0075.920] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0075.920] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0075.920] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0075.920] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0075.920] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0075.920] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned 47 [0075.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0075.922] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.922] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.922] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.922] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.922] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.922] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\.") returned 47 [0075.922] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.922] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.922] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.922] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.922] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.922] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.922] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.922] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\..") returned 48 [0075.922] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.922] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.922] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.922] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0075.922] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0075.922] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0075.922] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0075.922] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0075.922] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned 64 [0075.923] lstrcmpW (lpString1="Definition Updates", lpString2=".") returned 1 [0075.923] lstrcmpW (lpString1="Definition Updates", lpString2="..") returned 1 [0075.923] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*") returned 66 [0075.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.923] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.923] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.923] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.923] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.923] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.923] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\.") returned 66 [0075.923] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.923] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.923] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.923] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.923] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.923] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.923] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.923] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\..") returned 67 [0075.923] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.923] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.923] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.923] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0075.923] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0075.923] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0075.923] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0075.923] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0075.923] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 71 [0075.923] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0075.923] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0075.923] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned 73 [0075.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0075.924] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.924] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.924] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.924] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.924] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.924] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\.") returned 73 [0075.924] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.924] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.924] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.924] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.924] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.924] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.924] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.924] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\..") returned 74 [0075.924] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.924] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.924] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0075.924] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0075.924] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0075.924] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\backup\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.925] lstrlenA (lpString="EMPTY") returned 5 [0075.925] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0075.925] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.925] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0075.926] CloseHandle (hObject=0x1dc) returned 1 [0075.926] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.926] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0075.926] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0075.926] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0075.926] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0075.926] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0075.926] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 72 [0075.926] lstrcmpW (lpString1="Updates", lpString2=".") returned 1 [0075.926] lstrcmpW (lpString1="Updates", lpString2="..") returned 1 [0075.926] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned 74 [0075.926] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0075.927] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.927] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.927] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.927] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.927] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.927] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\.") returned 74 [0075.927] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.927] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.927] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.927] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.927] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.927] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.927] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.927] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\..") returned 75 [0075.927] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.927] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.927] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0075.927] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0075.927] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 102 [0075.927] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\updates\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.928] lstrlenA (lpString="EMPTY") returned 5 [0075.928] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0075.929] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.929] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0075.929] CloseHandle (hObject=0x1dc) returned 1 [0075.929] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.929] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Windows") returned -1 [0075.929] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files") returned -1 [0075.929] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="Program Files (x86)") returned -1 [0075.929] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$Recycle.bin") returned 1 [0075.929] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="System Volume Information") returned -1 [0075.929] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 103 [0075.929] lstrcmpW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0075.929] lstrcmpW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0075.929] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*") returned 105 [0075.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0075.930] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.930] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.930] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.930] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.930] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.930] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\.") returned 105 [0075.930] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.930] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.930] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.930] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.930] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.930] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.930] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.930] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\..") returned 106 [0075.930] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.930] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.930] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.930] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Windows") returned -1 [0075.930] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Program Files") returned -1 [0075.930] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="Program Files (x86)") returned -1 [0075.930] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="$Recycle.bin") returned 1 [0075.930] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="System Volume Information") returned -1 [0075.930] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0075.930] StrStrIW (lpFirst="mpasbase.vdm", lpSrch=".protected") returned 0x0 [0075.930] lstrcmpW (lpString1="mpasbase.vdm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.930] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.930] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.930] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.931] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0075.931] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".txt") returned 0x0 [0075.931] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0075.931] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".rar") returned 0x0 [0075.931] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0075.931] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".zip") returned 0x0 [0075.931] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.938] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.938] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.938] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.938] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.940] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.940] CloseHandle (hObject=0x1e0) returned 1 [0075.940] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.protected") returned 126 [0075.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm.protected")) returned 1 [0075.941] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Windows") returned -1 [0075.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Program Files") returned -1 [0075.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="Program Files (x86)") returned -1 [0075.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="$Recycle.bin") returned 1 [0075.941] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="System Volume Information") returned -1 [0075.941] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0075.941] StrStrIW (lpFirst="mpasdlta.vdm", lpSrch=".protected") returned 0x0 [0075.941] lstrcmpW (lpString1="mpasdlta.vdm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.941] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.941] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.941] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0075.941] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".txt") returned 0x0 [0075.942] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0075.942] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".rar") returned 0x0 [0075.942] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0075.942] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".zip") returned 0x0 [0075.942] ReadFile (in: hFile=0x1e0, lpBuffer=0x5f8760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.944] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.944] WriteFile (in: hFile=0x1e0, lpBuffer=0x5f8760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5f8760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.945] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.945] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.946] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.946] CloseHandle (hObject=0x1e0) returned 1 [0075.947] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.protected") returned 126 [0075.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm.protected")) returned 1 [0075.948] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.948] lstrcmpiW (lpString1="mpengine.dll", lpString2="Windows") returned -1 [0075.948] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files") returned -1 [0075.948] lstrcmpiW (lpString1="mpengine.dll", lpString2="Program Files (x86)") returned -1 [0075.948] lstrcmpiW (lpString1="mpengine.dll", lpString2="$Recycle.bin") returned 1 [0075.948] lstrcmpiW (lpString1="mpengine.dll", lpString2="System Volume Information") returned -1 [0075.948] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0075.948] StrStrIW (lpFirst="mpengine.dll", lpSrch=".protected") returned 0x0 [0075.948] lstrcmpW (lpString1="mpengine.dll", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.948] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0075.948] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0075.948] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0075.948] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0075.948] StrStrW (lpFirst="mpengine.dll", lpSrch=".txt") returned 0x0 [0075.948] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0075.948] StrStrW (lpFirst="mpengine.dll", lpSrch=".rar") returned 0x0 [0075.948] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0075.948] StrStrW (lpFirst="mpengine.dll", lpSrch=".zip") returned 0x0 [0075.948] ReadFile (in: hFile=0x1e0, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.951] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.951] WriteFile (in: hFile=0x1e0, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0075.951] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.951] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0075.952] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0075.952] CloseHandle (hObject=0x1e0) returned 1 [0075.953] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.protected") returned 126 [0075.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll.protected")) returned 1 [0075.953] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0075.953] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0075.953] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 133 [0075.953] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0075.955] lstrlenA (lpString="EMPTY") returned 5 [0075.955] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0075.955] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.955] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0075.956] CloseHandle (hObject=0x1dc) returned 1 [0075.956] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.956] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.956] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 94 [0075.956] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.982] lstrlenA (lpString="EMPTY") returned 5 [0075.983] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.983] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.983] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.983] CloseHandle (hObject=0x1d8) returned 1 [0075.985] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.985] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0075.985] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0075.985] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0075.985] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0075.985] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0075.985] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned 55 [0075.985] lstrcmpW (lpString1="LocalCopy", lpString2=".") returned 1 [0075.985] lstrcmpW (lpString1="LocalCopy", lpString2="..") returned 1 [0075.985] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*") returned 57 [0075.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.985] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.985] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.985] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.985] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.985] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.986] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\.") returned 57 [0075.986] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.986] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.986] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.986] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.986] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.986] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.986] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.986] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\..") returned 58 [0075.986] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.986] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.986] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.986] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.986] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 85 [0075.986] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\localcopy\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.987] lstrlenA (lpString="EMPTY") returned 5 [0075.987] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.988] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.988] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.988] CloseHandle (hObject=0x1d8) returned 1 [0075.988] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.988] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0075.988] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0075.988] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0075.988] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0075.988] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0075.988] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned 56 [0075.989] lstrcmpW (lpString1="Quarantine", lpString2=".") returned 1 [0075.989] lstrcmpW (lpString1="Quarantine", lpString2="..") returned 1 [0075.989] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*") returned 58 [0075.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.989] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\.") returned 58 [0075.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.989] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.989] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.989] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.989] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.989] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\..") returned 59 [0075.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.989] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0075.989] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0075.989] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 86 [0075.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\quarantine\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0075.990] lstrlenA (lpString="EMPTY") returned 5 [0075.990] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0075.991] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0075.991] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0075.991] CloseHandle (hObject=0x1d8) returned 1 [0075.991] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0075.991] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0075.991] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0075.991] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0075.991] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0075.991] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0075.991] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned 51 [0075.991] lstrcmpW (lpString1="Scans", lpString2=".") returned 1 [0075.991] lstrcmpW (lpString1="Scans", lpString2="..") returned 1 [0075.991] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*") returned 53 [0075.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0075.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.992] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.992] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.992] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.992] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.992] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\.") returned 53 [0075.992] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.992] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.993] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\..") returned 54 [0075.993] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.993] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0075.993] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0075.993] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0075.993] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0075.993] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0075.993] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0075.993] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned 59 [0075.993] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0075.993] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0075.994] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*") returned 61 [0075.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0075.994] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.994] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.994] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.994] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.994] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.994] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\.") returned 61 [0075.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.994] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.994] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.994] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.994] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.994] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.994] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.994] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\..") returned 62 [0075.994] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.994] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.994] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0075.994] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0075.994] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0075.994] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0075.994] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0075.994] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0075.994] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 72 [0075.994] lstrcmpW (lpString1="CacheManager", lpString2=".") returned 1 [0075.994] lstrcmpW (lpString1="CacheManager", lpString2="..") returned 1 [0075.995] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned 74 [0075.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0075.995] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0075.995] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0075.995] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0075.995] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0075.995] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0075.995] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\.") returned 74 [0075.995] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0075.995] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0075.995] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0075.995] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0075.995] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0075.995] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0075.995] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0075.995] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\..") returned 75 [0075.995] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0075.995] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.996] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0075.996] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Windows") returned -1 [0075.996] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files") returned -1 [0075.996] lstrcmpiW (lpString1="MpSfc.bin", lpString2="Program Files (x86)") returned -1 [0075.996] lstrcmpiW (lpString1="MpSfc.bin", lpString2="$Recycle.bin") returned 1 [0075.996] lstrcmpiW (lpString1="MpSfc.bin", lpString2="System Volume Information") returned -1 [0075.996] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0075.996] StrStrIW (lpFirst="MpSfc.bin", lpSrch=".protected") returned 0x0 [0075.996] lstrcmpW (lpString1="MpSfc.bin", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0075.996] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0075.996] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0075.996] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0075.996] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0075.996] StrStrW (lpFirst="MpSfc.bin", lpSrch=".txt") returned 0x0 [0075.996] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0075.996] StrStrW (lpFirst="MpSfc.bin", lpSrch=".rar") returned 0x0 [0075.996] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0075.996] StrStrW (lpFirst="MpSfc.bin", lpSrch=".zip") returned 0x0 [0075.996] ReadFile (in: hFile=0x1e4, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0075.998] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.999] WriteFile (in: hFile=0x1e4, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0075.999] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.999] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0075.999] WriteFile (in: hFile=0x1e4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0075.999] CloseHandle (hObject=0x1e4) returned 1 [0076.000] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.protected") returned 92 [0076.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin.protected")) returned 1 [0076.000] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.000] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.000] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 102 [0076.000] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.001] lstrlenA (lpString="EMPTY") returned 5 [0076.001] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.001] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.001] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.002] CloseHandle (hObject=0x1e0) returned 1 [0076.002] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.002] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0076.002] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0076.002] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0076.002] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0076.002] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0076.002] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 67 [0076.002] lstrcmpW (lpString1="Results", lpString2=".") returned 1 [0076.002] lstrcmpW (lpString1="Results", lpString2="..") returned 1 [0076.002] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned 69 [0076.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.002] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.002] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.002] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.002] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.002] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\.") returned 69 [0076.002] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.002] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.002] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.002] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.002] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.002] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.003] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\..") returned 70 [0076.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.003] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.003] lstrcmpiW (lpString1="Resource", lpString2="Windows") returned -1 [0076.003] lstrcmpiW (lpString1="Resource", lpString2="Program Files") returned 1 [0076.003] lstrcmpiW (lpString1="Resource", lpString2="Program Files (x86)") returned 1 [0076.003] lstrcmpiW (lpString1="Resource", lpString2="$Recycle.bin") returned 1 [0076.003] lstrcmpiW (lpString1="Resource", lpString2="System Volume Information") returned -1 [0076.003] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned 76 [0076.003] lstrcmpW (lpString1="Resource", lpString2=".") returned 1 [0076.003] lstrcmpW (lpString1="Resource", lpString2="..") returned 1 [0076.003] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*") returned 78 [0076.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*", lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0x557470 [0076.003] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.003] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\.") returned 78 [0076.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.003] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0076.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.004] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.004] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\..") returned 79 [0076.004] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.004] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0076.004] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Windows") returned -1 [0076.004] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Program Files") returned -1 [0076.004] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="Program Files (x86)") returned -1 [0076.004] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="$Recycle.bin") returned 1 [0076.004] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="System Volume Information") returned -1 [0076.004] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0076.004] StrStrIW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".protected") returned 0x0 [0076.004] lstrcmpW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.004] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0076.004] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0076.004] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0076.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0076.004] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".txt") returned 0x0 [0076.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0076.004] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".rar") returned 0x0 [0076.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0076.004] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".zip") returned 0x0 [0076.004] ReadFile (in: hFile=0x1e8, lpBuffer=0x5fc770, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5fc770*, lpNumberOfBytesRead=0x2ee298*=0x1a60, lpOverlapped=0x0) returned 1 [0076.017] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffe5a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.017] WriteFile (in: hFile=0x1e8, lpBuffer=0x5fc770*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5fc770*, lpNumberOfBytesWritten=0x2ee298*=0x1a60, lpOverlapped=0x0) returned 1 [0076.017] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.017] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0076.017] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0076.017] CloseHandle (hObject=0x1e8) returned 1 [0076.018] wnsprintfW (in: pszDest=0x5fc770, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected") returned 125 [0076.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}.protected")) returned 1 [0076.018] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0 [0076.018] FindClose (in: hFindFile=0x557470 | out: hFindFile=0x557470) returned 1 [0076.018] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 106 [0076.018] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0076.019] lstrlenA (lpString="EMPTY") returned 5 [0076.019] WriteFile (in: hFile=0x1e4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee2a4*=0x5, lpOverlapped=0x0) returned 1 [0076.020] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.020] WriteFile (in: hFile=0x1e4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee2a4*=0x2ac, lpOverlapped=0x0) returned 1 [0076.020] CloseHandle (hObject=0x1e4) returned 1 [0076.021] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.021] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.021] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 97 [0076.022] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.022] lstrlenA (lpString="EMPTY") returned 5 [0076.022] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.023] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.023] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.023] CloseHandle (hObject=0x1e0) returned 1 [0076.023] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.023] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0076.023] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0076.023] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0076.023] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0076.023] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0076.023] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 67 [0076.023] lstrcmpW (lpString1="Service", lpString2=".") returned 1 [0076.023] lstrcmpW (lpString1="Service", lpString2="..") returned 1 [0076.024] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned 69 [0076.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.024] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.024] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.024] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.024] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.025] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.025] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\.") returned 69 [0076.025] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.025] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.025] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.025] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.025] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.025] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.025] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.025] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\..") returned 70 [0076.025] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.025] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.025] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.025] lstrcmpiW (lpString1="History.Log", lpString2="Windows") returned -1 [0076.025] lstrcmpiW (lpString1="History.Log", lpString2="Program Files") returned -1 [0076.025] lstrcmpiW (lpString1="History.Log", lpString2="Program Files (x86)") returned -1 [0076.025] lstrcmpiW (lpString1="History.Log", lpString2="$Recycle.bin") returned 1 [0076.025] lstrcmpiW (lpString1="History.Log", lpString2="System Volume Information") returned -1 [0076.025] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0076.025] StrStrIW (lpFirst="History.Log", lpSrch=".protected") returned 0x0 [0076.025] lstrcmpW (lpString1="History.Log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.025] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.025] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.025] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0076.026] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0076.026] StrStrW (lpFirst="History.Log", lpSrch=".txt") returned 0x0 [0076.026] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0076.026] StrStrW (lpFirst="History.Log", lpSrch=".rar") returned 0x0 [0076.026] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0076.026] StrStrW (lpFirst="History.Log", lpSrch=".zip") returned 0x0 [0076.026] ReadFile (in: hFile=0x1e4, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee590*=0x2, lpOverlapped=0x0) returned 1 [0076.027] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.027] WriteFile (in: hFile=0x1e4, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee590*=0x2, lpOverlapped=0x0) returned 1 [0076.027] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.027] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0076.028] WriteFile (in: hFile=0x1e4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0076.028] CloseHandle (hObject=0x1e4) returned 1 [0076.028] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.protected") returned 89 [0076.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log.protected")) returned 1 [0076.028] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.028] lstrcmpiW (lpString1="Unknown.Log", lpString2="Windows") returned -1 [0076.028] lstrcmpiW (lpString1="Unknown.Log", lpString2="Program Files") returned 1 [0076.028] lstrcmpiW (lpString1="Unknown.Log", lpString2="Program Files (x86)") returned 1 [0076.028] lstrcmpiW (lpString1="Unknown.Log", lpString2="$Recycle.bin") returned 1 [0076.028] lstrcmpiW (lpString1="Unknown.Log", lpString2="System Volume Information") returned 1 [0076.028] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0076.028] StrStrIW (lpFirst="Unknown.Log", lpSrch=".protected") returned 0x0 [0076.028] lstrcmpW (lpString1="Unknown.Log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.028] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.029] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.029] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0076.029] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0076.029] StrStrW (lpFirst="Unknown.Log", lpSrch=".txt") returned 0x0 [0076.029] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0076.029] StrStrW (lpFirst="Unknown.Log", lpSrch=".rar") returned 0x0 [0076.029] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0076.029] StrStrW (lpFirst="Unknown.Log", lpSrch=".zip") returned 0x0 [0076.030] ReadFile (in: hFile=0x1e4, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee590*=0x1a6e, lpOverlapped=0x0) returned 1 [0076.051] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffe592, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.051] WriteFile (in: hFile=0x1e4, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x1a6e, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee590*=0x1a6e, lpOverlapped=0x0) returned 1 [0076.052] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.052] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0076.052] WriteFile (in: hFile=0x1e4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0076.052] CloseHandle (hObject=0x1e4) returned 1 [0076.052] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.protected") returned 89 [0076.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log.protected")) returned 1 [0076.053] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.053] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.054] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 97 [0076.054] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.055] lstrlenA (lpString="EMPTY") returned 5 [0076.055] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.055] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.055] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.056] CloseHandle (hObject=0x1e0) returned 1 [0076.056] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.056] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0076.056] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0076.056] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0076.056] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0076.056] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0076.056] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 65 [0076.056] lstrcmpW (lpString1="Store", lpString2=".") returned 1 [0076.056] lstrcmpW (lpString1="Store", lpString2="..") returned 1 [0076.056] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned 67 [0076.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.056] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\.") returned 67 [0076.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.056] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.057] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.057] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.057] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\..") returned 68 [0076.057] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.057] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.057] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.057] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.057] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 95 [0076.057] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\store\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.062] lstrlenA (lpString="EMPTY") returned 5 [0076.062] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.062] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.062] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.063] CloseHandle (hObject=0x1e0) returned 1 [0076.063] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.063] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.063] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 89 [0076.063] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.118] lstrlenA (lpString="EMPTY") returned 5 [0076.118] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.118] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.118] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.119] CloseHandle (hObject=0x1dc) returned 1 [0076.119] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0076.119] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0076.119] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0076.119] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0076.120] lstrlenA (lpString="EMPTY") returned 5 [0076.120] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0076.120] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.120] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.120] CloseHandle (hObject=0x1d8) returned 1 [0076.122] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.122] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0076.122] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0076.122] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0076.122] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0076.122] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0076.122] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned 53 [0076.122] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0076.122] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0076.122] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*") returned 55 [0076.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0076.122] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.122] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.122] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.122] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\.") returned 55 [0076.122] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.122] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.123] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.123] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.123] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.123] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.123] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.123] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\..") returned 56 [0076.123] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.123] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.123] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Windows") returned -1 [0076.123] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files") returned -1 [0076.123] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="Program Files (x86)") returned -1 [0076.123] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="$Recycle.bin") returned 1 [0076.123] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="System Volume Information") returned -1 [0076.123] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0076.123] StrStrIW (lpFirst="MPLog-07132009-221054.log", lpSrch=".protected") returned 0x0 [0076.123] lstrcmpW (lpString1="MPLog-07132009-221054.log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.123] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0076.123] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0076.123] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.123] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0076.123] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".txt") returned 0x0 [0076.123] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0076.123] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".rar") returned 0x0 [0076.123] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0076.123] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".zip") returned 0x0 [0076.124] ReadFile (in: hFile=0x1dc, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0076.161] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.161] WriteFile (in: hFile=0x1dc, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0076.161] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.161] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0076.162] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0076.162] CloseHandle (hObject=0x1dc) returned 1 [0076.195] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.protected") returned 89 [0076.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.protected" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log.protected")) returned 1 [0076.195] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0076.195] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0076.196] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 83 [0076.196] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0076.196] lstrlenA (lpString="EMPTY") returned 5 [0076.196] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0076.197] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.197] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.197] CloseHandle (hObject=0x1d8) returned 1 [0076.198] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0076.198] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0076.198] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 75 [0076.198] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.198] lstrlenA (lpString="EMPTY") returned 5 [0076.198] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0076.199] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.199] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0076.200] CloseHandle (hObject=0x1d4) returned 1 [0076.200] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.200] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0076.200] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0076.200] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0076.200] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0076.200] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0076.200] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned 39 [0076.200] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0076.200] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0076.200] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*") returned 41 [0076.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0076.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.201] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.201] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\.") returned 41 [0076.201] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.201] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.201] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.201] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.201] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.201] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.201] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.201] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\..") returned 42 [0076.201] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.201] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.201] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.201] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0076.201] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0076.201] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0076.201] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0076.201] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0076.201] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned 45 [0076.201] lstrcmpW (lpString1="MSFax", lpString2=".") returned 1 [0076.201] lstrcmpW (lpString1="MSFax", lpString2="..") returned 1 [0076.201] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*") returned 47 [0076.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0076.203] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.203] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.203] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.203] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.203] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.204] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\.") returned 47 [0076.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.204] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.204] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.204] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.204] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.204] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.204] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.204] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\..") returned 48 [0076.204] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.204] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.204] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.204] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0076.204] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0076.204] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0076.204] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0076.204] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0076.204] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 57 [0076.204] lstrcmpW (lpString1="ActivityLog", lpString2=".") returned 1 [0076.204] lstrcmpW (lpString1="ActivityLog", lpString2="..") returned 1 [0076.204] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned 59 [0076.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.205] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\.") returned 59 [0076.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.205] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.205] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.205] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.205] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.205] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.205] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\..") returned 60 [0076.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.205] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.205] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.205] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 87 [0076.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\activitylog\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.205] lstrlenA (lpString="EMPTY") returned 5 [0076.206] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.206] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.206] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.206] CloseHandle (hObject=0x1dc) returned 1 [0076.207] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.207] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0076.207] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0076.207] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0076.207] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0076.207] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0076.207] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 63 [0076.207] lstrcmpW (lpString1="Common Coverpages", lpString2=".") returned 1 [0076.207] lstrcmpW (lpString1="Common Coverpages", lpString2="..") returned 1 [0076.207] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned 65 [0076.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.207] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.207] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.207] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.207] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\.") returned 65 [0076.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.207] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.207] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\..") returned 66 [0076.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.207] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.208] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0076.208] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0076.208] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0076.208] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0076.208] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0076.208] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 69 [0076.208] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0076.208] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0076.208] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned 71 [0076.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.209] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.209] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.209] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.209] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.209] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.209] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\.") returned 71 [0076.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.209] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.209] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.209] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.209] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.209] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.209] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.209] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\..") returned 72 [0076.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.209] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.209] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0076.209] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0076.209] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0076.209] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0076.209] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0076.209] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 83 [0076.209] StrStrIW (lpFirst="confident.cov", lpSrch=".protected") returned 0x0 [0076.209] lstrcmpW (lpString1="confident.cov", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.209] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.209] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.209] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.210] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.210] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0076.210] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0076.210] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0076.210] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0076.210] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0076.210] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 77 [0076.210] StrStrIW (lpFirst="fyi.cov", lpSrch=".protected") returned 0x0 [0076.210] lstrcmpW (lpString1="fyi.cov", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.210] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.210] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.210] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.211] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.211] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0076.211] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0076.211] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0076.211] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0076.211] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0076.211] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 81 [0076.211] StrStrIW (lpFirst="generic.cov", lpSrch=".protected") returned 0x0 [0076.211] lstrcmpW (lpString1="generic.cov", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.211] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.211] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.211] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.211] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0076.211] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0076.211] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0076.211] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0076.211] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0076.211] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 80 [0076.211] StrStrIW (lpFirst="urgent.cov", lpSrch=".protected") returned 0x0 [0076.211] lstrcmpW (lpString1="urgent.cov", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.211] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.211] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.211] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.212] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.212] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 99 [0076.212] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.212] lstrlenA (lpString="EMPTY") returned 5 [0076.212] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.213] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.213] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.213] CloseHandle (hObject=0x1e0) returned 1 [0076.214] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.214] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.214] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 93 [0076.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.214] lstrlenA (lpString="EMPTY") returned 5 [0076.214] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.215] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.215] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.215] CloseHandle (hObject=0x1dc) returned 1 [0076.216] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.216] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0076.216] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0076.216] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0076.216] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0076.216] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0076.216] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 51 [0076.216] lstrcmpW (lpString1="Inbox", lpString2=".") returned 1 [0076.216] lstrcmpW (lpString1="Inbox", lpString2="..") returned 1 [0076.216] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned 53 [0076.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.217] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.217] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.217] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.217] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.217] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\.") returned 53 [0076.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.217] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.217] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.217] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.218] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.218] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.218] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\..") returned 54 [0076.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.218] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.218] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.218] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0076.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\inbox\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.218] lstrlenA (lpString="EMPTY") returned 5 [0076.218] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.219] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.219] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.219] CloseHandle (hObject=0x1dc) returned 1 [0076.219] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.219] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0076.219] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0076.219] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0076.219] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0076.219] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0076.219] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned 51 [0076.219] lstrcmpW (lpString1="Queue", lpString2=".") returned 1 [0076.219] lstrcmpW (lpString1="Queue", lpString2="..") returned 1 [0076.219] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned 53 [0076.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.220] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.220] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.220] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.220] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\.") returned 53 [0076.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.220] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.220] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.220] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.220] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.220] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\..") returned 54 [0076.220] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.220] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.220] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.220] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.220] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 81 [0076.220] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.220] lstrlenA (lpString="EMPTY") returned 5 [0076.221] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.221] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.221] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.221] CloseHandle (hObject=0x1dc) returned 1 [0076.222] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.222] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0076.222] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0076.222] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0076.222] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0076.222] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0076.222] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 55 [0076.222] lstrcmpW (lpString1="SentItems", lpString2=".") returned 1 [0076.222] lstrcmpW (lpString1="SentItems", lpString2="..") returned 1 [0076.222] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned 57 [0076.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.222] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\.") returned 57 [0076.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.222] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.222] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.222] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.222] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\..") returned 58 [0076.222] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.223] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.223] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.223] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 85 [0076.223] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\sentitems\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.224] lstrlenA (lpString="EMPTY") returned 5 [0076.224] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.224] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.224] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.224] CloseHandle (hObject=0x1dc) returned 1 [0076.225] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.225] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0076.225] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0076.225] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0076.225] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0076.225] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0076.225] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 58 [0076.225] lstrcmpW (lpString1="VirtualInbox", lpString2=".") returned 1 [0076.225] lstrcmpW (lpString1="VirtualInbox", lpString2="..") returned 1 [0076.225] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned 60 [0076.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.225] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.225] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.225] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.225] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.225] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.225] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\.") returned 60 [0076.225] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.225] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.225] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.225] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.225] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.225] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.225] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.225] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\..") returned 61 [0076.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.226] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.226] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0076.226] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0076.226] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0076.226] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0076.226] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0076.226] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 64 [0076.226] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0076.226] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0076.226] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned 66 [0076.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.227] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\.") returned 66 [0076.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.227] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.228] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.228] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\..") returned 67 [0076.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.228] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.228] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0076.228] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0076.228] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0076.228] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0076.228] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0076.228] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 79 [0076.228] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch=".protected") returned 0x0 [0076.228] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.228] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.228] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.228] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.228] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.228] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 94 [0076.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.229] lstrlenA (lpString="EMPTY") returned 5 [0076.229] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.230] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.230] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.230] CloseHandle (hObject=0x1e0) returned 1 [0076.230] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.230] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.230] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 88 [0076.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.230] lstrlenA (lpString="EMPTY") returned 5 [0076.230] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.231] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.231] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.231] CloseHandle (hObject=0x1dc) returned 1 [0076.232] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0076.232] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0076.232] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 75 [0076.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0076.233] lstrlenA (lpString="EMPTY") returned 5 [0076.233] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0076.234] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.234] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.234] CloseHandle (hObject=0x1d8) returned 1 [0076.234] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.234] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0076.234] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0076.234] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0076.234] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0076.234] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0076.234] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned 46 [0076.234] lstrcmpW (lpString1="MSScan", lpString2=".") returned 1 [0076.234] lstrcmpW (lpString1="MSScan", lpString2="..") returned 1 [0076.234] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*") returned 48 [0076.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0076.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.234] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.235] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\.") returned 48 [0076.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.235] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.235] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\..") returned 49 [0076.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.235] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.235] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0076.235] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0076.235] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0076.235] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0076.235] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0076.235] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 62 [0076.235] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch=".protected") returned 0x0 [0076.235] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.235] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0076.235] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0076.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.235] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0076.235] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0076.235] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 76 [0076.236] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0076.236] lstrlenA (lpString="EMPTY") returned 5 [0076.236] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0076.237] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.237] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.237] CloseHandle (hObject=0x1d8) returned 1 [0076.237] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0076.237] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0076.238] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0076.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.238] lstrlenA (lpString="EMPTY") returned 5 [0076.238] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0076.239] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.239] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0076.239] CloseHandle (hObject=0x1d4) returned 1 [0076.241] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.241] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0076.241] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0076.241] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0076.241] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0076.241] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0076.241] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned 36 [0076.241] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1 [0076.241] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1 [0076.242] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*") returned 38 [0076.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0076.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.242] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.") returned 38 [0076.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.242] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0076.242] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.242] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0076.242] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0076.242] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.242] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.242] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.242] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.242] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.242] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.242] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\..") returned 39 [0076.243] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.243] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0076.243] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.243] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0076.243] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0076.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.." (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.243] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.243] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0076.243] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0076.243] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0076.243] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0076.243] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0076.243] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned 45 [0076.243] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0076.243] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0076.243] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*") returned 47 [0076.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0076.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.244] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.244] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.244] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.") returned 47 [0076.244] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.244] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0076.244] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.244] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0076.244] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0076.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.244] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.244] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.244] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.244] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.244] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.244] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.244] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\..") returned 48 [0076.244] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.244] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0076.244] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0076.244] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0076.244] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0076.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\programdata\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.244] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0076.244] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0076.245] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 75 [0076.245] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.245] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0076.245] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0076.245] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 66 [0076.245] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.245] lstrlenA (lpString="EMPTY") returned 5 [0076.245] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0076.246] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.246] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0076.246] CloseHandle (hObject=0x1d4) returned 1 [0076.246] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0076.246] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0076.246] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 58 [0076.246] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0076.247] lstrlenA (lpString="EMPTY") returned 5 [0076.247] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0076.249] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.249] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.249] CloseHandle (hObject=0x1d0) returned 1 [0076.249] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0076.249] lstrcmpiW (lpString1="Microsoft Help", lpString2="Windows") returned -1 [0076.249] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files") returned -1 [0076.249] lstrcmpiW (lpString1="Microsoft Help", lpString2="Program Files (x86)") returned -1 [0076.249] lstrcmpiW (lpString1="Microsoft Help", lpString2="$Recycle.bin") returned 1 [0076.249] lstrcmpiW (lpString1="Microsoft Help", lpString2="System Volume Information") returned -1 [0076.249] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help") returned 33 [0076.249] lstrcmpW (lpString1="Microsoft Help", lpString2=".") returned 1 [0076.249] lstrcmpW (lpString1="Microsoft Help", lpString2="..") returned 1 [0076.249] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\*") returned 35 [0076.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0076.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.280] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.280] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\.") returned 35 [0076.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.280] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.289] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.289] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.289] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.289] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\..") returned 36 [0076.289] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.289] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.289] lstrcmpiW (lpString1="Hx.hxn", lpString2="Windows") returned -1 [0076.289] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files") returned -1 [0076.289] lstrcmpiW (lpString1="Hx.hxn", lpString2="Program Files (x86)") returned -1 [0076.289] lstrcmpiW (lpString1="Hx.hxn", lpString2="$Recycle.bin") returned 1 [0076.289] lstrcmpiW (lpString1="Hx.hxn", lpString2="System Volume Information") returned -1 [0076.289] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0076.289] StrStrIW (lpFirst="Hx.hxn", lpSrch=".protected") returned 0x0 [0076.289] lstrcmpW (lpString1="Hx.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.289] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.289] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.289] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.290] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0076.290] StrStrW (lpFirst="Hx.hxn", lpSrch=".txt") returned 0x0 [0076.290] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0076.290] StrStrW (lpFirst="Hx.hxn", lpSrch=".rar") returned 0x0 [0076.290] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned 40 [0076.290] StrStrW (lpFirst="Hx.hxn", lpSrch=".zip") returned 0x0 [0076.290] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x186, lpOverlapped=0x0) returned 1 [0076.291] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.291] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x186, lpOverlapped=0x0) returned 1 [0076.291] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.291] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.291] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.291] CloseHandle (hObject=0x1d4) returned 1 [0076.292] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.protected") returned 50 [0076.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\hx.hxn.protected")) returned 1 [0076.292] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.292] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Windows") returned -1 [0076.292] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files") returned -1 [0076.292] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.292] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.292] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.292] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0076.292] StrStrIW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.292] lstrcmpW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.292] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.293] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.293] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0076.293] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0076.294] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 54 [0076.294] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.294] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.294] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.294] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.295] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.295] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.295] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.295] CloseHandle (hObject=0x1d4) returned 1 [0076.295] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.protected") returned 64 [0076.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn.protected")) returned 1 [0076.295] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.295] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.296] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.296] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.296] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.296] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.296] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0076.296] StrStrIW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.296] lstrcmpW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.296] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.296] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.296] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.296] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0076.296] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.296] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0076.296] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.296] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 58 [0076.296] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.296] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.297] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.297] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.297] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.297] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.297] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.297] CloseHandle (hObject=0x1d4) returned 1 [0076.298] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.protected") returned 68 [0076.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn.protected")) returned 1 [0076.298] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.298] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Windows") returned -1 [0076.298] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files") returned -1 [0076.298] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.298] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.298] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.298] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0076.298] StrStrIW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.298] lstrcmpW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.298] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.298] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.298] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.299] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0076.299] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.299] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0076.299] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.299] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 54 [0076.299] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.299] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.300] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.300] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.300] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.300] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.301] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.301] CloseHandle (hObject=0x1d4) returned 1 [0076.301] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.protected") returned 64 [0076.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn.protected")) returned 1 [0076.301] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.301] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Windows") returned -1 [0076.301] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files") returned -1 [0076.301] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.301] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.301] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.301] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0076.301] StrStrIW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.301] lstrcmpW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.301] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.302] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.302] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.302] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0076.302] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.302] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0076.302] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.302] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 55 [0076.302] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.302] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x14c, lpOverlapped=0x0) returned 1 [0076.303] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.303] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x14c, lpOverlapped=0x0) returned 1 [0076.303] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.303] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.303] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.303] CloseHandle (hObject=0x1d4) returned 1 [0076.303] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.protected") returned 65 [0076.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn.protected")) returned 1 [0076.304] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.304] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Windows") returned -1 [0076.304] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files") returned -1 [0076.304] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.304] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.304] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.304] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0076.304] StrStrIW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.304] lstrcmpW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.304] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.304] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.304] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.307] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0076.307] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.307] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0076.307] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.307] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 57 [0076.307] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.307] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x158, lpOverlapped=0x0) returned 1 [0076.308] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.308] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x158, lpOverlapped=0x0) returned 1 [0076.308] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.308] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.308] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.308] CloseHandle (hObject=0x1d4) returned 1 [0076.309] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.protected") returned 67 [0076.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn.protected")) returned 1 [0076.309] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.309] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Windows") returned -1 [0076.309] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files") returned -1 [0076.309] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.309] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.309] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.309] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0076.309] StrStrIW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.309] lstrcmpW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.309] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.309] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.309] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.310] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0076.310] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.310] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0076.310] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.310] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 63 [0076.310] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.310] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x17c, lpOverlapped=0x0) returned 1 [0076.311] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.311] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x17c, lpOverlapped=0x0) returned 1 [0076.311] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.311] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.311] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.311] CloseHandle (hObject=0x1d4) returned 1 [0076.311] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.protected") returned 73 [0076.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn.protected")) returned 1 [0076.312] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Windows") returned -1 [0076.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files") returned -1 [0076.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.312] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.312] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0076.312] StrStrIW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.312] lstrcmpW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.312] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.312] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.312] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.313] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0076.313] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.313] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0076.313] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.313] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 57 [0076.313] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.313] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x158, lpOverlapped=0x0) returned 1 [0076.314] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.314] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x158, lpOverlapped=0x0) returned 1 [0076.314] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.314] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.314] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.314] CloseHandle (hObject=0x1d4) returned 1 [0076.314] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.protected") returned 67 [0076.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn.protected")) returned 1 [0076.315] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.315] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.315] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.315] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.315] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.315] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.315] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0076.315] StrStrIW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.315] lstrcmpW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.315] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.315] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.315] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0076.315] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0076.315] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0076.315] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.315] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x170, lpOverlapped=0x0) returned 1 [0076.316] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.316] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x170, lpOverlapped=0x0) returned 1 [0076.317] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.317] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.317] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.317] CloseHandle (hObject=0x1d4) returned 1 [0076.317] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.protected") returned 71 [0076.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn.protected")) returned 1 [0076.317] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.317] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Windows") returned -1 [0076.317] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files") returned -1 [0076.317] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.317] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.318] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.318] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0076.318] StrStrIW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.318] lstrcmpW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.318] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.318] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.318] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.318] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0076.318] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.318] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0076.318] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.318] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0076.318] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.318] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.319] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.319] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.319] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.319] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.319] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.319] CloseHandle (hObject=0x1d4) returned 1 [0076.319] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.protected") returned 64 [0076.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn.protected")) returned 1 [0076.320] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.320] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Windows") returned -1 [0076.320] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files") returned -1 [0076.320] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.320] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.320] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.320] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0076.320] StrStrIW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.320] lstrcmpW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.320] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.320] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.320] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.321] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0076.321] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.321] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0076.321] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.321] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0076.321] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.321] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.322] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.322] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.322] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.322] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.322] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.322] CloseHandle (hObject=0x1d4) returned 1 [0076.322] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.protected") returned 64 [0076.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn.protected")) returned 1 [0076.323] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.323] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.323] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.323] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.323] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.323] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.323] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0076.323] StrStrIW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.323] lstrcmpW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.323] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.323] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.323] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.323] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0076.323] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.323] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0076.323] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.323] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0076.323] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.323] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.324] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.324] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.324] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.324] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.324] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.324] CloseHandle (hObject=0x1d4) returned 1 [0076.324] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.protected") returned 68 [0076.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn.protected")) returned 1 [0076.325] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.325] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Windows") returned -1 [0076.325] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files") returned -1 [0076.325] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.325] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.325] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.325] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0076.325] StrStrIW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.325] lstrcmpW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.325] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.325] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.325] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.325] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0076.325] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.325] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0076.325] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.325] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0076.325] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.325] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x14c, lpOverlapped=0x0) returned 1 [0076.326] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.326] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x14c, lpOverlapped=0x0) returned 1 [0076.326] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.326] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.326] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.326] CloseHandle (hObject=0x1d4) returned 1 [0076.326] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.protected") returned 65 [0076.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn.protected")) returned 1 [0076.327] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.327] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Windows") returned -1 [0076.327] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files") returned -1 [0076.327] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.327] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.327] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.327] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0076.327] StrStrIW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.327] lstrcmpW (lpString1="MS.OIS.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.327] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.327] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.327] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.327] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0076.327] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.327] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0076.327] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.327] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0076.327] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.327] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x13a, lpOverlapped=0x0) returned 1 [0076.328] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffec6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.328] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x13a, lpOverlapped=0x0) returned 1 [0076.328] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.328] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.328] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.328] CloseHandle (hObject=0x1d4) returned 1 [0076.328] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.protected") returned 62 [0076.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn.protected")) returned 1 [0076.329] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.329] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Windows") returned -1 [0076.329] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files") returned -1 [0076.329] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.329] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.329] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.329] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0076.329] StrStrIW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.329] lstrcmpW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.329] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.329] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.329] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0076.329] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.329] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0076.329] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.329] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0076.329] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.329] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.330] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.330] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.330] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.330] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.330] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.330] CloseHandle (hObject=0x1d4) returned 1 [0076.330] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.protected") returned 66 [0076.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn.protected")) returned 1 [0076.331] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.331] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Windows") returned -1 [0076.331] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files") returned -1 [0076.331] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.331] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.331] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.331] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0076.331] StrStrIW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.331] lstrcmpW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.331] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.331] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.331] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.332] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0076.332] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.332] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0076.332] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.332] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0076.332] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.332] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.332] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.332] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.333] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.333] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.333] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.333] CloseHandle (hObject=0x1d4) returned 1 [0076.333] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.protected") returned 66 [0076.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn.protected")) returned 1 [0076.333] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.333] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.333] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.333] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.333] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.333] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.334] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0076.334] StrStrIW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.334] lstrcmpW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.334] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.334] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.334] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.334] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0076.334] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.334] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0076.334] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.334] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0076.334] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.334] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x16a, lpOverlapped=0x0) returned 1 [0076.335] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.335] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x16a, lpOverlapped=0x0) returned 1 [0076.335] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.335] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.335] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.335] CloseHandle (hObject=0x1d4) returned 1 [0076.335] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.protected") returned 70 [0076.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn.protected")) returned 1 [0076.336] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.336] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Windows") returned -1 [0076.336] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files") returned -1 [0076.336] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.336] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.336] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.336] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0076.336] StrStrIW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.336] lstrcmpW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.336] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.336] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.336] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.337] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0076.337] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.337] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0076.337] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.337] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0076.337] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.337] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x158, lpOverlapped=0x0) returned 1 [0076.338] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.338] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x158, lpOverlapped=0x0) returned 1 [0076.338] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.338] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.338] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.338] CloseHandle (hObject=0x1d4) returned 1 [0076.338] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.protected") returned 67 [0076.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn.protected")) returned 1 [0076.338] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.338] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.338] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.338] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.339] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.339] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.339] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0076.339] StrStrIW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.339] lstrcmpW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.339] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.339] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.339] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.339] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0076.339] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.339] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0076.339] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.339] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0076.339] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.339] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x170, lpOverlapped=0x0) returned 1 [0076.340] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.340] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x170, lpOverlapped=0x0) returned 1 [0076.340] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.340] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.340] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.340] CloseHandle (hObject=0x1d4) returned 1 [0076.340] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.protected") returned 71 [0076.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.protected")) returned 1 [0076.341] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.341] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Windows") returned -1 [0076.341] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files") returned -1 [0076.341] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.341] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.341] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.341] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0076.341] StrStrIW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.341] lstrcmpW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.341] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.341] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.341] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0076.341] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.341] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0076.341] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.341] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0076.341] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.341] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.342] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.342] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.342] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.342] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.342] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.342] CloseHandle (hObject=0x1d4) returned 1 [0076.342] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.protected") returned 66 [0076.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn.protected")) returned 1 [0076.342] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.343] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Windows") returned -1 [0076.343] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files") returned -1 [0076.343] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.343] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.343] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.343] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0076.343] StrStrIW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.343] lstrcmpW (lpString1="MS.VISIO.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.343] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.343] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.343] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.343] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0076.343] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.343] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0076.343] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.343] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0076.343] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.343] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.344] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.344] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x146, lpOverlapped=0x0) returned 1 [0076.344] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.344] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.344] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.344] CloseHandle (hObject=0x1d4) returned 1 [0076.345] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.protected") returned 64 [0076.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn.protected")) returned 1 [0076.346] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.346] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.346] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.346] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.346] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.346] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.346] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0076.346] StrStrIW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.346] lstrcmpW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.346] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.346] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.346] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.346] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0076.346] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.346] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0076.346] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.346] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0076.346] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.346] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.347] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.347] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.347] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.347] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.347] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.347] CloseHandle (hObject=0x1d4) returned 1 [0076.347] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.protected") returned 68 [0076.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn.protected")) returned 1 [0076.348] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.348] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Windows") returned -1 [0076.348] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files") returned -1 [0076.348] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.348] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.348] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.348] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0076.348] StrStrIW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.348] lstrcmpW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.348] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.348] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.348] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0076.348] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0076.348] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0076.348] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.348] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x188, lpOverlapped=0x0) returned 1 [0076.349] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.349] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x188, lpOverlapped=0x0) returned 1 [0076.349] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.349] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.349] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.349] CloseHandle (hObject=0x1d4) returned 1 [0076.349] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.protected") returned 75 [0076.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.protected")) returned 1 [0076.350] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.350] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Windows") returned -1 [0076.350] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files") returned -1 [0076.350] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.350] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.350] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.350] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0076.350] StrStrIW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.350] lstrcmpW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.350] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.350] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.350] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0076.351] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0076.351] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0076.351] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.351] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.352] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.352] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.352] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.352] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.352] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.352] CloseHandle (hObject=0x1d4) returned 1 [0076.352] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.protected") returned 68 [0076.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn.protected")) returned 1 [0076.352] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.352] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Windows") returned -1 [0076.352] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files") returned -1 [0076.353] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.353] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.353] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.353] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0076.353] StrStrIW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.353] lstrcmpW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.353] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.353] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.353] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.353] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0076.353] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.353] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0076.353] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.353] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0076.353] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.353] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.354] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.354] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x15e, lpOverlapped=0x0) returned 1 [0076.354] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.354] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.354] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.354] CloseHandle (hObject=0x1d4) returned 1 [0076.355] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.protected") returned 68 [0076.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn.protected")) returned 1 [0076.355] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.355] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Windows") returned -1 [0076.355] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files") returned -1 [0076.355] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.355] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.355] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.355] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0076.355] StrStrIW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.355] lstrcmpW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.355] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.355] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.355] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.355] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0076.355] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.356] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0076.356] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.356] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0076.356] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.356] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.356] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.356] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.356] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.356] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.357] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.357] CloseHandle (hObject=0x1d4) returned 1 [0076.357] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.protected") returned 66 [0076.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn.protected")) returned 1 [0076.357] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.357] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.357] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.357] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.357] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.357] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.357] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0076.357] StrStrIW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.357] lstrcmpW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.357] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.357] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.358] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0076.358] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.358] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0076.358] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.358] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0076.358] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.358] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x16a, lpOverlapped=0x0) returned 1 [0076.359] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.359] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x16a, lpOverlapped=0x0) returned 1 [0076.359] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.359] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.359] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.359] CloseHandle (hObject=0x1d4) returned 1 [0076.359] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.protected") returned 70 [0076.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn.protected")) returned 1 [0076.359] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.359] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Windows") returned -1 [0076.360] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files") returned -1 [0076.360] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.360] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.360] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.360] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0076.360] StrStrIW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.360] lstrcmpW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.360] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.360] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.360] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0076.360] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.360] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0076.360] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.360] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0076.360] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.360] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.361] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.361] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x152, lpOverlapped=0x0) returned 1 [0076.361] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.361] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.362] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.362] CloseHandle (hObject=0x1d4) returned 1 [0076.362] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.protected") returned 66 [0076.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn.protected")) returned 1 [0076.362] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.362] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Windows") returned -1 [0076.362] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files") returned -1 [0076.362] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="Program Files (x86)") returned -1 [0076.362] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="$Recycle.bin") returned 1 [0076.362] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="System Volume Information") returned -1 [0076.362] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0076.362] StrStrIW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".protected") returned 0x0 [0076.362] lstrcmpW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.363] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.363] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.363] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.363] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0076.363] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0076.363] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0076.363] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".rar") returned 0x0 [0076.363] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0076.363] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".zip") returned 0x0 [0076.363] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x16a, lpOverlapped=0x0) returned 1 [0076.364] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.364] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x16a, lpOverlapped=0x0) returned 1 [0076.364] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.364] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.364] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.364] CloseHandle (hObject=0x1d4) returned 1 [0076.364] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.protected") returned 70 [0076.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.protected" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn.protected")) returned 1 [0076.365] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.365] lstrcmpiW (lpString1="nslist.hxl", lpString2="Windows") returned -1 [0076.365] lstrcmpiW (lpString1="nslist.hxl", lpString2="Program Files") returned -1 [0076.365] lstrcmpiW (lpString1="nslist.hxl", lpString2="Program Files (x86)") returned -1 [0076.365] lstrcmpiW (lpString1="nslist.hxl", lpString2="$Recycle.bin") returned 1 [0076.365] lstrcmpiW (lpString1="nslist.hxl", lpString2="System Volume Information") returned -1 [0076.365] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0076.365] StrStrIW (lpFirst="nslist.hxl", lpSrch=".protected") returned 0x0 [0076.365] lstrcmpW (lpString1="nslist.hxl", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.365] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0076.365] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0076.365] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0076.365] StrStrW (lpFirst="nslist.hxl", lpSrch=".txt") returned 0x0 [0076.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0076.365] StrStrW (lpFirst="nslist.hxl", lpSrch=".rar") returned 0x0 [0076.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0076.365] StrStrW (lpFirst="nslist.hxl", lpSrch=".zip") returned 0x0 [0076.365] ReadFile (in: hFile=0x1d4, lpBuffer=0x5fa760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesRead=0x2ef170*=0x21dc, lpOverlapped=0x0) returned 1 [0076.488] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffde24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.488] WriteFile (in: hFile=0x1d4, lpBuffer=0x5fa760*, nNumberOfBytesToWrite=0x21dc, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5fa760*, lpNumberOfBytesWritten=0x2ef170*=0x21dc, lpOverlapped=0x0) returned 1 [0076.488] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.488] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0076.488] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0076.488] CloseHandle (hObject=0x1d4) returned 1 [0076.488] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.protected") returned 54 [0076.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.protected" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl.protected")) returned 1 [0076.489] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0076.489] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0076.489] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 63 [0076.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\microsoft help\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0076.489] lstrlenA (lpString="EMPTY") returned 5 [0076.489] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0076.490] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.490] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.490] CloseHandle (hObject=0x1d0) returned 1 [0076.490] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0076.490] lstrcmpiW (lpString1="Mozilla", lpString2="Windows") returned -1 [0076.490] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files") returned -1 [0076.490] lstrcmpiW (lpString1="Mozilla", lpString2="Program Files (x86)") returned -1 [0076.490] lstrcmpiW (lpString1="Mozilla", lpString2="$Recycle.bin") returned 1 [0076.490] lstrcmpiW (lpString1="Mozilla", lpString2="System Volume Information") returned -1 [0076.490] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla") returned 26 [0076.490] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0076.490] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0076.490] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\*") returned 28 [0076.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0076.491] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.491] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.491] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.491] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.491] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.491] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\.") returned 28 [0076.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.491] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.491] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.491] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.491] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.491] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.491] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.491] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\..") returned 29 [0076.491] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.491] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.491] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0076.491] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0076.491] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0076.491] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0076.491] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0076.491] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs") returned 31 [0076.491] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0076.491] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0076.491] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*") returned 33 [0076.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0076.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.492] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\.") returned 33 [0076.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.492] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.492] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.492] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.492] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.492] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\..") returned 34 [0076.492] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.492] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.492] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Windows") returned -1 [0076.492] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files") returned -1 [0076.492] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="Program Files (x86)") returned -1 [0076.492] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="$Recycle.bin") returned 1 [0076.492] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="System Volume Information") returned -1 [0076.492] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0076.492] StrStrIW (lpFirst="maintenanceservice-install.log", lpSrch=".protected") returned 0x0 [0076.492] lstrcmpW (lpString1="maintenanceservice-install.log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.492] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0076.492] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0076.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0076.493] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0076.493] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".txt") returned 0x0 [0076.493] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0076.493] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".rar") returned 0x0 [0076.493] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0076.493] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".zip") returned 0x0 [0076.493] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0xa4, lpOverlapped=0x0) returned 1 [0076.493] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.494] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0xa4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0xa4, lpOverlapped=0x0) returned 1 [0076.494] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.494] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0076.494] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0076.494] CloseHandle (hObject=0x1d8) returned 1 [0076.495] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.protected") returned 72 [0076.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.protected" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log.protected")) returned 1 [0076.495] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0076.495] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0076.495] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 61 [0076.495] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\mozilla\\logs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.495] lstrlenA (lpString="EMPTY") returned 5 [0076.495] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0076.496] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.496] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0076.496] CloseHandle (hObject=0x1d4) returned 1 [0076.496] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0076.496] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0076.496] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 56 [0076.496] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\mozilla\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0076.496] lstrlenA (lpString="EMPTY") returned 5 [0076.496] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0076.497] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.497] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.497] CloseHandle (hObject=0x1d0) returned 1 [0076.497] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0076.497] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0076.497] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0076.497] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0076.497] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0076.497] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0076.497] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle") returned 25 [0076.497] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1 [0076.497] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1 [0076.497] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\*") returned 27 [0076.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0076.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.498] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\.") returned 27 [0076.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.498] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.498] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.498] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.498] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\..") returned 28 [0076.498] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.498] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.498] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0076.498] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0076.498] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 55 [0076.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\oracle\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0076.499] lstrlenA (lpString="EMPTY") returned 5 [0076.499] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0076.499] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.499] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.499] CloseHandle (hObject=0x1d0) returned 1 [0076.500] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0076.500] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0076.500] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0076.500] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0076.500] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0076.500] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0076.500] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache") returned 32 [0076.500] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1 [0076.500] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1 [0076.500] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\*") returned 34 [0076.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0076.554] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.554] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.554] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.554] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.554] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\.") returned 34 [0076.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.554] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.601] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\..") returned 35 [0076.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.601] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.601] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Windows") returned -1 [0076.601] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files") returned -1 [0076.601] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="Program Files (x86)") returned -1 [0076.601] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="$Recycle.bin") returned 1 [0076.601] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="System Volume Information") returned -1 [0076.601] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 73 [0076.601] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0076.601] lstrcmpW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0076.602] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*") returned 75 [0076.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0076.602] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.602] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.602] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.602] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.602] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.602] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\.") returned 75 [0076.602] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.602] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.602] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.602] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.602] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.602] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.602] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.602] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\..") returned 76 [0076.602] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.602] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.602] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0076.602] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0076.602] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0076.602] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0076.602] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0076.602] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned 82 [0076.602] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0076.602] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0076.602] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*") returned 84 [0076.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0076.603] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.603] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.603] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.603] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.603] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.603] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\.") returned 84 [0076.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.603] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.603] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.603] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.603] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.603] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.603] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.603] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\..") returned 85 [0076.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.603] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.603] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0076.603] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0076.603] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0076.603] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0076.603] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0076.603] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned 88 [0076.603] lstrcmpW (lpString1="Patch", lpString2=".") returned 1 [0076.603] lstrcmpW (lpString1="Patch", lpString2="..") returned 1 [0076.603] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*") returned 90 [0076.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.603] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.603] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.603] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.603] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.603] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.603] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\.") returned 90 [0076.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.604] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.604] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.604] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.604] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.604] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.604] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.604] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\..") returned 91 [0076.604] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.604] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.604] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.604] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0076.604] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0076.604] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0076.604] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0076.604] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0076.604] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned 92 [0076.604] lstrcmpW (lpString1="x64", lpString2=".") returned 1 [0076.604] lstrcmpW (lpString1="x64", lpString2="..") returned 1 [0076.605] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*") returned 94 [0076.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.605] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\.") returned 94 [0076.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.605] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.605] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\..") returned 95 [0076.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.605] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.605] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Windows") returned 1 [0076.605] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files") returned 1 [0076.605] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files (x86)") returned 1 [0076.605] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$Recycle.bin") returned 1 [0076.605] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="System Volume Information") returned 1 [0076.605] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.605] StrStrIW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".protected") returned 0x0 [0076.605] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.605] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.605] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0076.606] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.606] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".txt") returned 0x0 [0076.606] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.606] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".rar") returned 0x0 [0076.606] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.606] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".zip") returned 0x0 [0076.606] ReadFile (in: hFile=0x1e4, lpBuffer=0x60c7b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60c7b8*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0076.607] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.607] WriteFile (in: hFile=0x1e4, lpBuffer=0x60c7b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60c7b8*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0076.608] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.608] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0076.777] WriteFile (in: hFile=0x1e4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0076.777] CloseHandle (hObject=0x1e4) returned 1 [0076.777] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected") returned 131 [0076.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.protected")) returned 1 [0076.778] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0076.778] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0076.779] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0076.779] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0076.779] lstrlenA (lpString="EMPTY") returned 5 [0076.779] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0076.780] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.780] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.780] CloseHandle (hObject=0x1e0) returned 1 [0076.781] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0076.781] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0076.782] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 118 [0076.782] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0076.782] lstrlenA (lpString="EMPTY") returned 5 [0076.782] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0076.783] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.783] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0076.783] CloseHandle (hObject=0x1dc) returned 1 [0076.783] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0076.783] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0076.783] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0076.783] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0076.784] lstrlenA (lpString="EMPTY") returned 5 [0076.784] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0076.784] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.785] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0076.785] CloseHandle (hObject=0x1d8) returned 1 [0076.785] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0076.785] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0076.785] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 103 [0076.785] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0076.871] lstrlenA (lpString="EMPTY") returned 5 [0076.871] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0076.872] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0076.872] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0076.872] CloseHandle (hObject=0x1d4) returned 1 [0076.872] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0076.872] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Windows") returned -1 [0076.872] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files") returned -1 [0076.872] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="Program Files (x86)") returned -1 [0076.872] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$Recycle.bin") returned 1 [0076.872] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="System Volume Information") returned -1 [0076.872] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 73 [0076.872] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0076.872] lstrcmpW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0076.872] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*") returned 75 [0076.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0076.885] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.885] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.885] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.885] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.885] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.885] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\.") returned 75 [0076.885] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.885] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.886] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\..") returned 76 [0076.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.886] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0076.886] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0076.886] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0076.886] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0076.886] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0076.886] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0076.886] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned 82 [0076.886] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0076.886] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0076.886] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*") returned 84 [0076.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0076.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.886] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\.") returned 84 [0076.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.886] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.886] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\..") returned 85 [0076.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.886] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0076.886] lstrcmpiW (lpString1="Patch", lpString2="Windows") returned -1 [0076.887] lstrcmpiW (lpString1="Patch", lpString2="Program Files") returned -1 [0076.887] lstrcmpiW (lpString1="Patch", lpString2="Program Files (x86)") returned -1 [0076.887] lstrcmpiW (lpString1="Patch", lpString2="$Recycle.bin") returned 1 [0076.887] lstrcmpiW (lpString1="Patch", lpString2="System Volume Information") returned -1 [0076.887] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned 88 [0076.887] lstrcmpW (lpString1="Patch", lpString2=".") returned 1 [0076.887] lstrcmpW (lpString1="Patch", lpString2="..") returned 1 [0076.887] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*") returned 90 [0076.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0076.887] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.887] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.887] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.887] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.887] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.887] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\.") returned 90 [0076.887] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.887] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.887] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.887] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.887] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.888] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.888] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.888] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\..") returned 91 [0076.888] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.888] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.888] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0076.888] lstrcmpiW (lpString1="x64", lpString2="Windows") returned 1 [0076.888] lstrcmpiW (lpString1="x64", lpString2="Program Files") returned 1 [0076.888] lstrcmpiW (lpString1="x64", lpString2="Program Files (x86)") returned 1 [0076.888] lstrcmpiW (lpString1="x64", lpString2="$Recycle.bin") returned 1 [0076.888] lstrcmpiW (lpString1="x64", lpString2="System Volume Information") returned 1 [0076.888] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned 92 [0076.888] lstrcmpW (lpString1="x64", lpString2=".") returned 1 [0076.888] lstrcmpW (lpString1="x64", lpString2="..") returned 1 [0076.888] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*") returned 94 [0076.888] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0076.888] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.888] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.888] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.889] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.889] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.889] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\.") returned 94 [0076.889] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.889] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.889] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.889] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.889] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.889] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.889] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.889] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\..") returned 95 [0076.889] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.889] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.889] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0076.889] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Windows") returned 1 [0076.889] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files") returned 1 [0076.889] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="Program Files (x86)") returned 1 [0076.889] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$Recycle.bin") returned 1 [0076.889] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="System Volume Information") returned 1 [0076.889] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.889] StrStrIW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".protected") returned 0x0 [0076.889] lstrcmpW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0076.889] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0076.889] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0076.889] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0076.889] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.889] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".txt") returned 0x0 [0076.890] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.890] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".rar") returned 0x0 [0076.890] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0076.890] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".zip") returned 0x0 [0076.890] ReadFile (in: hFile=0x1e4, lpBuffer=0x60c7b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60c7b8*, lpNumberOfBytesRead=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0076.936] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.936] WriteFile (in: hFile=0x1e4, lpBuffer=0x60c7b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x60c7b8*, lpNumberOfBytesWritten=0x2ee590*=0x2800, lpOverlapped=0x0) returned 1 [0076.936] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.936] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0077.063] WriteFile (in: hFile=0x1e4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0077.063] CloseHandle (hObject=0x1e4) returned 1 [0077.063] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected") returned 131 [0077.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.protected" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.protected")) returned 1 [0077.064] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0077.064] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0077.064] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0077.064] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.065] lstrlenA (lpString="EMPTY") returned 5 [0077.065] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0077.065] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.065] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0077.065] CloseHandle (hObject=0x1e0) returned 1 [0077.066] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0077.066] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0077.067] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 118 [0077.067] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0077.067] lstrlenA (lpString="EMPTY") returned 5 [0077.067] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0077.067] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.067] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0077.068] CloseHandle (hObject=0x1dc) returned 1 [0077.068] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0077.068] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0077.068] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0077.068] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.068] lstrlenA (lpString="EMPTY") returned 5 [0077.068] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0077.069] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.069] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0077.069] CloseHandle (hObject=0x1d8) returned 1 [0077.069] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0077.069] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0077.069] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 103 [0077.069] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0077.069] lstrlenA (lpString="EMPTY") returned 5 [0077.070] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0077.070] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.070] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0077.070] CloseHandle (hObject=0x1d4) returned 1 [0077.070] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0077.070] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0077.070] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0077.070] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0077.070] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0077.070] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0077.070] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 82 [0077.071] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0077.071] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0077.071] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned 84 [0077.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0077.071] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.071] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.071] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.071] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.071] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.071] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\.") returned 84 [0077.071] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.071] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.071] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.071] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.071] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.071] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.071] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.071] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\..") returned 85 [0077.071] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.071] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.071] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.071] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0077.071] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0077.071] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0077.071] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0077.071] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0077.071] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 91 [0077.071] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0077.071] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0077.071] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned 93 [0077.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0077.072] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.072] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.072] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.072] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.072] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.072] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\.") returned 93 [0077.072] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.072] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.072] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.072] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.072] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.072] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.072] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.072] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\..") returned 94 [0077.072] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.072] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.072] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.072] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0077.072] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0077.072] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0077.072] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0077.072] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0077.073] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 112 [0077.073] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0077.073] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0077.073] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned 114 [0077.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0077.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.073] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\.") returned 114 [0077.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.073] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.073] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\..") returned 115 [0077.073] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.073] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.073] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0077.073] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0077.073] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0077.073] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0077.073] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0077.073] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0077.073] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0077.073] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0077.073] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.074] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.074] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0077.074] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0077.074] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0077.074] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0077.074] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0077.074] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0077.074] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.115] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.115] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.115] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.115] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.189] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.189] CloseHandle (hObject=0x1e0) returned 1 [0077.190] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 131 [0077.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.protected")) returned 1 [0077.190] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.190] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0077.190] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0077.190] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0077.190] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0077.190] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0077.191] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0077.191] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".protected") returned 0x0 [0077.191] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.191] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.191] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.191] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.191] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0077.191] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0077.191] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0077.191] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".rar") returned 0x0 [0077.191] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0077.191] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".zip") returned 0x0 [0077.191] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.213] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.213] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.214] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.214] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.214] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.214] CloseHandle (hObject=0x1e0) returned 1 [0077.272] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 148 [0077.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.protected")) returned 1 [0077.273] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0077.273] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0077.274] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 142 [0077.274] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0077.275] lstrlenA (lpString="EMPTY") returned 5 [0077.275] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0077.276] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.276] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0077.276] CloseHandle (hObject=0x1dc) returned 1 [0077.276] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0077.276] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0077.276] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0077.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.339] lstrlenA (lpString="EMPTY") returned 5 [0077.339] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0077.340] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.340] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0077.340] CloseHandle (hObject=0x1d8) returned 1 [0077.340] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0077.340] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0077.340] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0077.340] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0077.372] lstrlenA (lpString="EMPTY") returned 5 [0077.372] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0077.373] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.373] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0077.373] CloseHandle (hObject=0x1d4) returned 1 [0077.373] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0077.373] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0077.373] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0077.373] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0077.373] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0077.373] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0077.373] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 71 [0077.373] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0077.373] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0077.373] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned 73 [0077.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0077.373] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.373] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.373] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.373] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.373] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.373] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\.") returned 73 [0077.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.373] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.373] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.373] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.374] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.374] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.374] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.374] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\..") returned 74 [0077.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.374] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.374] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0077.374] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0077.374] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0077.374] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0077.374] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0077.374] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0077.374] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0077.374] lstrcmpW (lpString1="state.rsm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.374] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0077.374] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0077.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.375] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0077.375] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0077.375] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0077.375] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0077.375] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0077.375] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0077.375] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x28e, lpOverlapped=0x0) returned 1 [0077.375] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.375] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x28e, lpOverlapped=0x0) returned 1 [0077.376] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.376] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0077.376] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0077.376] CloseHandle (hObject=0x1d8) returned 1 [0077.376] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected") returned 91 [0077.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.protected")) returned 1 [0077.377] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.377] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0077.377] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0077.377] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0077.377] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0077.377] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0077.377] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0077.377] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch=".protected") returned 0x0 [0077.377] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.377] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0077.378] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0077.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0077.378] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".txt") returned 0x0 [0077.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0077.378] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".rar") returned 0x0 [0077.378] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0077.378] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".zip") returned 0x0 [0077.378] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0077.393] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.393] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0077.394] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.394] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0077.436] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0077.436] CloseHandle (hObject=0x1d8) returned 1 [0077.436] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected") returned 98 [0077.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.protected")) returned 1 [0077.437] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0077.437] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0077.437] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0077.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0077.438] lstrlenA (lpString="EMPTY") returned 5 [0077.438] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0077.438] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.439] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0077.439] CloseHandle (hObject=0x1d4) returned 1 [0077.439] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0077.439] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0077.439] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0077.439] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0077.439] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0077.439] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0077.439] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 82 [0077.439] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0077.439] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0077.439] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned 84 [0077.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0077.440] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.440] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.440] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.440] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.440] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.440] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\.") returned 84 [0077.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.440] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.440] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.440] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.440] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.440] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.440] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.440] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\..") returned 85 [0077.440] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.440] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.440] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0077.440] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0077.440] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0077.440] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0077.440] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0077.440] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 91 [0077.440] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0077.440] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0077.440] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned 93 [0077.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0077.440] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.440] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.440] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.440] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.441] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\.") returned 93 [0077.441] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.441] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.441] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.441] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.441] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\..") returned 94 [0077.441] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.441] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.441] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0077.441] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0077.441] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0077.441] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0077.441] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0077.441] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 117 [0077.441] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0077.441] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0077.441] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned 119 [0077.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0077.441] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.441] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.441] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.441] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.441] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.441] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\.") returned 119 [0077.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.442] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.442] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\..") returned 120 [0077.442] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.442] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.442] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.442] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0077.442] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0077.442] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0077.442] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0077.442] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0077.442] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0077.442] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0077.442] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0077.442] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.442] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.442] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.442] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0077.442] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0077.442] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0077.442] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0077.442] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0077.442] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0077.442] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.444] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.444] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.444] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.444] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.486] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.486] CloseHandle (hObject=0x1e0) returned 1 [0077.487] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 136 [0077.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.protected")) returned 1 [0077.488] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.488] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0077.488] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0077.488] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0077.488] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0077.488] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0077.488] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0077.488] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".protected") returned 0x0 [0077.488] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.488] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.488] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.522] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0077.522] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0077.522] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0077.522] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".rar") returned 0x0 [0077.522] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0077.522] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".zip") returned 0x0 [0077.522] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.619] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.619] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.692] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.692] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.692] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.692] CloseHandle (hObject=0x1e0) returned 1 [0077.693] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 156 [0077.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.protected")) returned 1 [0077.693] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0077.693] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0077.694] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 147 [0077.694] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0077.718] lstrlenA (lpString="EMPTY") returned 5 [0077.718] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0077.719] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.719] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0077.719] CloseHandle (hObject=0x1dc) returned 1 [0077.719] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0077.719] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0077.719] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0077.719] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.719] lstrlenA (lpString="EMPTY") returned 5 [0077.720] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0077.720] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.720] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0077.720] CloseHandle (hObject=0x1d8) returned 1 [0077.720] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0077.720] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0077.720] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0077.720] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0077.721] lstrlenA (lpString="EMPTY") returned 5 [0077.721] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0077.722] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.722] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0077.722] CloseHandle (hObject=0x1d4) returned 1 [0077.722] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0077.722] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Windows") returned -1 [0077.722] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files") returned -1 [0077.722] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files (x86)") returned -1 [0077.722] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$Recycle.bin") returned 1 [0077.722] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="System Volume Information") returned -1 [0077.722] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 71 [0077.722] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0077.722] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0077.722] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned 73 [0077.722] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0077.723] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.723] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.723] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.723] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.723] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.723] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\.") returned 73 [0077.723] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.723] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.723] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.723] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.723] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.723] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.723] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.723] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\..") returned 74 [0077.723] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.723] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.723] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.723] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0077.723] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0077.723] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0077.723] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0077.723] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0077.723] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0077.723] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0077.723] lstrcmpW (lpString1="state.rsm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.723] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0077.724] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0077.724] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.724] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0077.724] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0077.724] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0077.724] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0077.724] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0077.724] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0077.724] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x29a, lpOverlapped=0x0) returned 1 [0077.725] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.725] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x29a, lpOverlapped=0x0) returned 1 [0077.725] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.725] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0077.725] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0077.725] CloseHandle (hObject=0x1d8) returned 1 [0077.726] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected") returned 91 [0077.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.protected")) returned 1 [0077.727] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.727] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0077.727] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0077.727] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0077.727] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0077.727] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0077.727] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0077.727] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch=".protected") returned 0x0 [0077.727] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.727] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0077.727] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0077.727] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.727] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0077.727] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".txt") returned 0x0 [0077.727] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0077.727] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".rar") returned 0x0 [0077.727] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0077.727] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".zip") returned 0x0 [0077.727] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0077.758] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.758] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0077.758] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.759] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0077.869] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0077.869] CloseHandle (hObject=0x1d8) returned 1 [0077.870] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected") returned 98 [0077.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.protected")) returned 1 [0077.872] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0077.872] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0077.872] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0077.872] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0077.874] lstrlenA (lpString="EMPTY") returned 5 [0077.874] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0077.875] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.875] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0077.875] CloseHandle (hObject=0x1d4) returned 1 [0077.875] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0077.875] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Windows") returned -1 [0077.875] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files") returned -1 [0077.875] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0077.875] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0077.876] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="System Volume Information") returned -1 [0077.876] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 83 [0077.876] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0077.876] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0077.876] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned 85 [0077.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0077.876] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.876] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.876] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.876] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.876] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\.") returned 85 [0077.876] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.876] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.876] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.876] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.876] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.876] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.876] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.876] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\..") returned 86 [0077.876] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.876] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.876] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.876] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0077.876] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0077.876] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0077.876] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0077.877] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0077.877] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 92 [0077.877] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0077.877] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0077.877] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned 94 [0077.877] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0077.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.877] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\.") returned 94 [0077.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.877] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.877] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\..") returned 95 [0077.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.877] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.877] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0077.877] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0077.877] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0077.877] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0077.877] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0077.877] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 113 [0077.878] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0077.878] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0077.878] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned 115 [0077.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0077.878] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.878] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.878] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.878] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.878] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.878] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\.") returned 115 [0077.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.878] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.878] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.878] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.878] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.878] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.878] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.878] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\..") returned 116 [0077.878] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.878] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.878] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0077.878] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0077.879] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0077.879] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0077.879] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0077.879] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0077.879] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0077.879] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0077.879] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.879] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.879] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0077.880] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0077.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0077.880] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0077.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0077.880] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0077.880] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.930] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.930] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.930] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.930] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.956] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.956] CloseHandle (hObject=0x1e0) returned 1 [0077.957] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 132 [0077.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.protected")) returned 1 [0077.957] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.957] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0077.957] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0077.957] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0077.957] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0077.957] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0077.957] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0077.957] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".protected") returned 0x0 [0077.957] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0077.957] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.957] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.957] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.958] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0077.958] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0077.958] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0077.958] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".rar") returned 0x0 [0077.958] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0077.958] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".zip") returned 0x0 [0077.958] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.979] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.979] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.980] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.980] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.980] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.980] CloseHandle (hObject=0x1e0) returned 1 [0077.984] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 149 [0077.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.protected")) returned 1 [0077.984] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0077.984] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0077.985] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 143 [0077.985] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0077.987] lstrlenA (lpString="EMPTY") returned 5 [0077.987] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0077.987] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.987] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0077.987] CloseHandle (hObject=0x1dc) returned 1 [0077.987] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0077.987] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0077.988] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0077.988] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0077.988] lstrlenA (lpString="EMPTY") returned 5 [0077.988] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0077.989] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.989] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0077.989] CloseHandle (hObject=0x1d8) returned 1 [0077.989] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0077.989] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0077.989] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 113 [0077.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0077.990] lstrlenA (lpString="EMPTY") returned 5 [0077.990] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0077.990] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0077.990] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0077.991] CloseHandle (hObject=0x1d4) returned 1 [0077.991] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0077.991] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Windows") returned -1 [0077.991] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files") returned -1 [0077.991] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0077.991] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0077.991] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="System Volume Information") returned -1 [0077.991] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 83 [0077.991] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0077.991] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0077.991] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned 85 [0077.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0077.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.992] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.992] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.992] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.992] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.992] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\.") returned 85 [0077.992] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.992] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.992] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.992] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.992] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.992] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.992] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\..") returned 86 [0077.992] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.992] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.992] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0077.992] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0077.992] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0077.992] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0077.992] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0077.992] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0077.992] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 92 [0077.992] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0077.992] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0077.992] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned 94 [0077.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0077.993] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.993] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.993] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\.") returned 94 [0077.993] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.993] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.993] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.993] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\..") returned 95 [0077.993] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.993] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0077.993] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0077.993] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0077.993] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0077.993] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0077.993] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0077.993] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 116 [0077.993] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0077.993] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0077.993] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned 118 [0077.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0077.993] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.993] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.993] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\.") returned 118 [0077.993] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.994] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.994] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.994] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.994] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.994] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.994] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.994] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\..") returned 119 [0077.994] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.994] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.994] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0077.994] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0077.994] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0077.994] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0077.994] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0077.994] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0077.994] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0077.994] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0077.994] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0077.994] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0077.994] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0077.994] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0077.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0077.994] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0077.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0077.994] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0077.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0077.994] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0077.994] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.996] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.996] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0077.996] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.996] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0077.997] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0077.997] CloseHandle (hObject=0x1e0) returned 1 [0078.026] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 135 [0078.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.protected")) returned 1 [0078.027] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.027] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0078.027] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0078.027] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0078.027] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0078.027] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0078.027] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0078.027] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".protected") returned 0x0 [0078.027] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.027] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.027] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.027] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0078.028] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0078.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0078.028] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".rar") returned 0x0 [0078.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0078.028] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".zip") returned 0x0 [0078.028] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.044] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.045] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.045] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.045] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.046] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.046] CloseHandle (hObject=0x1e0) returned 1 [0078.088] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 155 [0078.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.protected")) returned 1 [0078.089] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0078.089] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0078.090] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 146 [0078.090] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0078.091] lstrlenA (lpString="EMPTY") returned 5 [0078.091] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0078.092] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.092] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0078.092] CloseHandle (hObject=0x1dc) returned 1 [0078.093] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0078.093] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0078.093] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0078.093] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.093] lstrlenA (lpString="EMPTY") returned 5 [0078.094] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0078.094] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.094] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0078.094] CloseHandle (hObject=0x1d8) returned 1 [0078.095] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0078.095] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0078.095] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 113 [0078.095] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0078.095] lstrlenA (lpString="EMPTY") returned 5 [0078.095] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0078.096] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.096] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.096] CloseHandle (hObject=0x1d4) returned 1 [0078.096] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0078.096] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Windows") returned -1 [0078.096] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files") returned -1 [0078.096] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0078.096] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0078.096] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="System Volume Information") returned -1 [0078.096] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 83 [0078.096] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0078.096] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0078.096] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned 85 [0078.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0078.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.097] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\.") returned 85 [0078.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.097] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.097] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\..") returned 86 [0078.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.098] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.098] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0078.098] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0078.098] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0078.098] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0078.098] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0078.098] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 92 [0078.098] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0078.098] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0078.098] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned 94 [0078.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0078.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.098] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.098] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\.") returned 94 [0078.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.098] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.098] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\..") returned 95 [0078.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.099] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.099] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.099] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0078.099] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0078.099] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0078.099] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0078.099] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0078.099] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 115 [0078.099] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0078.099] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0078.099] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned 117 [0078.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0078.099] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.099] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.099] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.099] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.099] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.099] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\.") returned 117 [0078.099] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.099] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.099] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.099] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.099] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.099] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.100] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.100] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\..") returned 118 [0078.100] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.100] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.100] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.100] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0078.100] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0078.100] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0078.100] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0078.100] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0078.100] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0078.100] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0078.100] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0078.100] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.100] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.100] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.100] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0078.100] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0078.100] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0078.100] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0078.100] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0078.100] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0078.101] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.118] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.118] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.118] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.119] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.153] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.153] CloseHandle (hObject=0x1e0) returned 1 [0078.154] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 134 [0078.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.protected")) returned 1 [0078.154] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.154] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0078.155] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0078.155] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0078.155] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0078.155] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0078.155] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0078.155] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".protected") returned 0x0 [0078.155] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.155] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.155] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.155] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.155] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0078.155] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0078.155] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0078.155] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".rar") returned 0x0 [0078.155] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0078.155] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".zip") returned 0x0 [0078.155] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.184] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.184] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.186] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.186] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.186] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.186] CloseHandle (hObject=0x1e0) returned 1 [0078.187] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 151 [0078.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.protected")) returned 1 [0078.188] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0078.188] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0078.189] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 145 [0078.189] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0078.190] lstrlenA (lpString="EMPTY") returned 5 [0078.190] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0078.191] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.191] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0078.191] CloseHandle (hObject=0x1dc) returned 1 [0078.192] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0078.192] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0078.192] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0078.192] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.193] lstrlenA (lpString="EMPTY") returned 5 [0078.193] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0078.193] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.193] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0078.194] CloseHandle (hObject=0x1d8) returned 1 [0078.194] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0078.194] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0078.194] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 113 [0078.194] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0078.194] lstrlenA (lpString="EMPTY") returned 5 [0078.194] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0078.195] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.195] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.195] CloseHandle (hObject=0x1d4) returned 1 [0078.195] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0078.195] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Windows") returned -1 [0078.195] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files") returned -1 [0078.195] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0078.195] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0078.195] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="System Volume Information") returned -1 [0078.195] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 82 [0078.195] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0078.195] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0078.195] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned 84 [0078.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0078.196] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.196] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.196] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.196] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.196] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.196] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\.") returned 84 [0078.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.196] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.196] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.196] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.196] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.196] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.196] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.196] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\..") returned 85 [0078.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.196] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.196] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0078.196] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0078.196] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0078.196] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0078.196] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0078.196] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 91 [0078.196] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0078.196] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0078.196] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned 93 [0078.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0078.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.197] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.197] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.197] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.197] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.197] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\.") returned 93 [0078.197] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.197] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.197] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.197] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.197] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.197] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.197] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\..") returned 94 [0078.197] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.197] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.197] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.197] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0078.197] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0078.197] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0078.197] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0078.197] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0078.197] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 117 [0078.197] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0078.197] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0078.197] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned 119 [0078.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0078.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.198] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\.") returned 119 [0078.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.198] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.198] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\..") returned 120 [0078.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.198] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.198] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0078.198] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0078.198] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0078.198] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0078.198] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0078.198] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0078.198] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0078.198] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0078.198] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.199] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.199] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.199] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0078.199] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0078.199] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0078.199] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0078.199] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0078.199] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0078.200] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.274] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.274] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.274] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.274] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.325] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.325] CloseHandle (hObject=0x1e0) returned 1 [0078.350] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 136 [0078.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.protected")) returned 1 [0078.350] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.350] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0078.350] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0078.350] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0078.351] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0078.351] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0078.351] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0078.351] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".protected") returned 0x0 [0078.351] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.351] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.351] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.351] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0078.351] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0078.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0078.351] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".rar") returned 0x0 [0078.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0078.351] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".zip") returned 0x0 [0078.351] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.364] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.364] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.364] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.365] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.365] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.365] CloseHandle (hObject=0x1e0) returned 1 [0078.407] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 156 [0078.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.protected")) returned 1 [0078.408] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0078.408] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0078.409] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 147 [0078.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0078.461] lstrlenA (lpString="EMPTY") returned 5 [0078.461] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0078.462] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.462] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0078.462] CloseHandle (hObject=0x1dc) returned 1 [0078.462] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0078.462] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0078.463] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0078.463] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.464] lstrlenA (lpString="EMPTY") returned 5 [0078.464] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0078.464] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.464] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0078.465] CloseHandle (hObject=0x1d8) returned 1 [0078.465] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0078.465] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0078.465] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0078.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0078.465] lstrlenA (lpString="EMPTY") returned 5 [0078.465] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0078.466] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.466] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.466] CloseHandle (hObject=0x1d4) returned 1 [0078.467] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0078.467] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Windows") returned -1 [0078.467] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files") returned -1 [0078.467] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0078.467] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0078.467] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="System Volume Information") returned -1 [0078.467] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 82 [0078.467] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0078.467] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0078.467] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned 84 [0078.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0078.467] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.467] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.467] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.467] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.467] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.467] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\.") returned 84 [0078.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.467] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.467] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.467] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.467] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.467] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.468] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.468] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\..") returned 85 [0078.468] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.468] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.468] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0078.468] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0078.468] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0078.468] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0078.468] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0078.468] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 91 [0078.468] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0078.468] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0078.468] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned 93 [0078.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0078.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.468] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.468] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.468] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.468] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.468] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\.") returned 93 [0078.468] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.468] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.468] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.468] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.468] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.468] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.469] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\..") returned 94 [0078.469] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.469] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.469] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0078.469] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0078.469] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0078.469] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0078.469] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0078.469] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 114 [0078.469] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0078.469] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0078.469] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned 116 [0078.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0078.469] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.469] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.469] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.469] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\.") returned 116 [0078.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.469] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.469] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.469] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.469] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.470] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.470] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\..") returned 117 [0078.470] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.470] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.470] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0078.470] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0078.470] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0078.470] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0078.470] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0078.470] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0078.470] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0078.470] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0078.470] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.470] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0078.470] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0078.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0078.470] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0078.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0078.470] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0078.471] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.496] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.496] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.496] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.496] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.513] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.513] CloseHandle (hObject=0x1e0) returned 1 [0078.582] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 133 [0078.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.protected")) returned 1 [0078.582] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.582] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0078.582] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0078.582] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0078.582] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0078.582] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0078.582] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0078.582] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".protected") returned 0x0 [0078.582] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.582] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.582] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.583] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.583] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0078.583] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0078.583] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0078.583] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".rar") returned 0x0 [0078.583] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0078.583] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".zip") returned 0x0 [0078.583] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.586] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.586] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.587] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.587] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.587] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.587] CloseHandle (hObject=0x1e0) returned 1 [0078.647] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 150 [0078.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.protected")) returned 1 [0078.647] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0078.647] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0078.648] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 144 [0078.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0078.652] lstrlenA (lpString="EMPTY") returned 5 [0078.652] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0078.652] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.652] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0078.652] CloseHandle (hObject=0x1dc) returned 1 [0078.652] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0078.653] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0078.653] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0078.653] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.653] lstrlenA (lpString="EMPTY") returned 5 [0078.653] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0078.654] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.654] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0078.654] CloseHandle (hObject=0x1d8) returned 1 [0078.654] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0078.654] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0078.654] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0078.654] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0078.655] lstrlenA (lpString="EMPTY") returned 5 [0078.655] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0078.655] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.655] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.655] CloseHandle (hObject=0x1d4) returned 1 [0078.656] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0078.656] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Windows") returned -1 [0078.656] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files") returned -1 [0078.656] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0078.656] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0078.656] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="System Volume Information") returned -1 [0078.656] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 82 [0078.656] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0078.656] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0078.656] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned 84 [0078.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0078.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.701] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\.") returned 84 [0078.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.701] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.701] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\..") returned 85 [0078.701] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.701] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.701] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.701] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0078.701] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0078.701] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0078.701] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0078.701] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0078.701] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 91 [0078.701] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0078.701] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0078.701] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned 93 [0078.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0078.702] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.702] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.702] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.702] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.702] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.702] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\.") returned 93 [0078.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.702] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.702] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.702] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.702] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.702] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.702] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.703] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\..") returned 94 [0078.703] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.703] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0078.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0078.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0078.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0078.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0078.703] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 115 [0078.703] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0078.703] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0078.703] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned 117 [0078.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0078.704] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.704] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.704] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.704] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\.") returned 117 [0078.704] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.704] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.704] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.704] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\..") returned 118 [0078.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.704] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.704] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0078.704] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0078.704] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0078.704] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0078.704] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0078.704] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0078.704] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0078.704] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0078.704] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.704] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0078.705] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0078.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0078.705] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0078.705] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0078.705] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0078.705] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.723] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.723] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.723] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.723] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.725] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.725] CloseHandle (hObject=0x1e0) returned 1 [0078.726] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 134 [0078.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab.protected")) returned 1 [0078.727] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.727] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0078.727] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0078.727] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0078.727] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0078.727] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0078.727] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0078.727] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".protected") returned 0x0 [0078.727] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.727] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.727] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.728] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.728] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0078.728] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0078.728] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0078.728] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".rar") returned 0x0 [0078.728] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0078.728] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".zip") returned 0x0 [0078.729] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.730] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.730] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.731] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.731] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.731] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.731] CloseHandle (hObject=0x1e0) returned 1 [0078.748] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 154 [0078.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.protected")) returned 1 [0078.749] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0078.749] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0078.750] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 145 [0078.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0078.801] lstrlenA (lpString="EMPTY") returned 5 [0078.801] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0078.801] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.801] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0078.802] CloseHandle (hObject=0x1dc) returned 1 [0078.802] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0078.802] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0078.802] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0078.802] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.803] lstrlenA (lpString="EMPTY") returned 5 [0078.803] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0078.804] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.804] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0078.804] CloseHandle (hObject=0x1d8) returned 1 [0078.804] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0078.804] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0078.804] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0078.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0078.804] lstrlenA (lpString="EMPTY") returned 5 [0078.804] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0078.805] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.805] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.805] CloseHandle (hObject=0x1d4) returned 1 [0078.805] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0078.806] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Windows") returned -1 [0078.806] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files") returned -1 [0078.806] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0078.806] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0078.806] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="System Volume Information") returned -1 [0078.806] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 82 [0078.806] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0078.806] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0078.806] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned 84 [0078.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0078.806] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.806] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.806] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.806] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.806] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.806] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\.") returned 84 [0078.806] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.806] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.806] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.806] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.806] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.806] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.806] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.806] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\..") returned 85 [0078.806] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.806] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.806] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.807] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0078.807] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0078.807] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0078.807] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0078.807] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0078.807] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 91 [0078.807] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0078.807] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0078.807] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned 93 [0078.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0078.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.817] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\.") returned 93 [0078.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.817] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.817] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\..") returned 94 [0078.818] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.818] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.818] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0078.818] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0078.818] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0078.818] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0078.818] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0078.818] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0078.818] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 112 [0078.818] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0078.818] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0078.818] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned 114 [0078.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0078.819] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.819] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.819] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.819] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.819] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.819] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\.") returned 114 [0078.819] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.819] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.819] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.819] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.819] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.819] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.819] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.819] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\..") returned 115 [0078.819] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.819] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.819] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.819] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0078.820] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0078.820] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0078.820] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0078.820] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0078.820] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0078.820] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0078.820] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0078.820] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.820] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.820] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.820] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0078.820] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0078.820] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0078.820] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0078.820] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0078.820] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0078.820] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.851] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.851] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.851] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.851] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.873] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.873] CloseHandle (hObject=0x1e0) returned 1 [0078.874] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected") returned 131 [0078.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab.protected")) returned 1 [0078.875] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0078.875] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0078.875] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0078.875] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0078.875] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0078.875] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0078.875] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0078.875] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".protected") returned 0x0 [0078.875] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.875] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0078.875] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0078.875] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0078.876] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0078.876] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0078.876] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0078.876] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".rar") returned 0x0 [0078.876] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0078.876] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".zip") returned 0x0 [0078.876] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.901] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.901] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0078.902] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.902] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0078.902] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0078.902] CloseHandle (hObject=0x1e0) returned 1 [0078.903] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected") returned 148 [0078.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.protected")) returned 1 [0078.903] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0078.903] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0078.904] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 142 [0078.904] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0078.949] lstrlenA (lpString="EMPTY") returned 5 [0078.949] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0078.950] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.950] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0078.950] CloseHandle (hObject=0x1dc) returned 1 [0078.950] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0078.950] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0078.950] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0078.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.951] lstrlenA (lpString="EMPTY") returned 5 [0078.951] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0078.952] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.952] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0078.952] CloseHandle (hObject=0x1d8) returned 1 [0078.952] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0078.952] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0078.952] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0078.952] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0078.952] lstrlenA (lpString="EMPTY") returned 5 [0078.952] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0078.953] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0078.953] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0078.953] CloseHandle (hObject=0x1d4) returned 1 [0078.953] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0078.953] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Windows") returned -1 [0078.953] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files") returned -1 [0078.953] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files (x86)") returned -1 [0078.953] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$Recycle.bin") returned 1 [0078.953] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="System Volume Information") returned -1 [0078.953] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 71 [0078.953] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0078.954] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0078.954] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned 73 [0078.954] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0078.954] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.954] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.954] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.954] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.954] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.954] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\.") returned 73 [0078.954] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.954] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.954] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.954] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.954] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.954] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.955] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.955] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\..") returned 74 [0078.955] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.955] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.955] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0078.955] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0078.955] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0078.955] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0078.955] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0078.955] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0078.955] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0078.955] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0078.955] lstrcmpW (lpString1="state.rsm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0078.955] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0078.955] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0078.955] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0078.987] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0078.987] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0078.987] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0078.987] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0078.987] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0078.987] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0078.987] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x28e, lpOverlapped=0x0) returned 1 [0078.988] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.988] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x28e, lpOverlapped=0x0) returned 1 [0078.989] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.989] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0078.989] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0078.989] CloseHandle (hObject=0x1d8) returned 1 [0078.989] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected") returned 91 [0078.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.protected")) returned 1 [0079.039] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.039] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0079.039] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0079.039] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0079.039] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0079.039] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0079.039] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0079.039] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch=".protected") returned 0x0 [0079.039] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.039] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0079.040] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0079.040] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.040] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0079.040] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".txt") returned 0x0 [0079.040] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0079.040] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".rar") returned 0x0 [0079.040] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0079.040] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".zip") returned 0x0 [0079.040] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0079.086] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.086] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0079.088] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.088] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0079.089] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0079.089] CloseHandle (hObject=0x1d8) returned 1 [0079.090] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected") returned 98 [0079.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.protected")) returned 1 [0079.090] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0079.090] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0079.090] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0079.090] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0079.092] lstrlenA (lpString="EMPTY") returned 5 [0079.092] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0079.093] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.093] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.093] CloseHandle (hObject=0x1d4) returned 1 [0079.094] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0079.094] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Windows") returned -1 [0079.094] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files") returned -1 [0079.094] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0079.094] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0079.094] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="System Volume Information") returned -1 [0079.094] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 82 [0079.094] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0079.094] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0079.094] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned 84 [0079.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0079.109] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.109] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.109] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.109] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.109] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.109] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\.") returned 84 [0079.109] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.109] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.109] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.109] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.109] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.109] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.109] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.109] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\..") returned 85 [0079.109] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.109] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.109] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.109] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0079.109] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0079.109] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0079.109] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0079.109] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0079.109] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 91 [0079.109] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0079.109] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0079.109] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned 93 [0079.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0079.109] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.109] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.109] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.109] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.109] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.109] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\.") returned 93 [0079.109] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.109] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0079.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.110] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.110] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.110] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\..") returned 94 [0079.110] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.110] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.110] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0079.110] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0079.110] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0079.110] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0079.110] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0079.110] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0079.110] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 114 [0079.110] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0079.110] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0079.110] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned 116 [0079.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0079.110] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.110] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.110] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.110] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.110] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.110] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\.") returned 116 [0079.110] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.110] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0079.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.110] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.110] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.110] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\..") returned 117 [0079.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.111] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0079.111] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0079.111] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0079.111] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0079.111] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0079.111] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0079.111] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0079.111] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0079.111] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0079.111] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0079.111] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0079.111] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0079.111] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0079.111] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0079.111] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0079.111] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0079.111] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0079.111] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0079.111] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.135] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.135] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.135] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.136] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0079.142] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0079.142] CloseHandle (hObject=0x1e0) returned 1 [0079.144] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected") returned 133 [0079.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.protected")) returned 1 [0079.147] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0079.147] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0079.147] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0079.147] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0079.147] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0079.147] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0079.150] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0079.150] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".protected") returned 0x0 [0079.150] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.150] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0079.150] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0079.150] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0079.170] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0079.171] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0079.171] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0079.171] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".rar") returned 0x0 [0079.171] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0079.171] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".zip") returned 0x0 [0079.171] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.183] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.183] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.185] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.185] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0079.185] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0079.185] CloseHandle (hObject=0x1e0) returned 1 [0079.232] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected") returned 150 [0079.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.protected")) returned 1 [0079.233] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0079.233] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0079.234] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 144 [0079.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0079.254] lstrlenA (lpString="EMPTY") returned 5 [0079.254] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0079.254] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.254] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0079.255] CloseHandle (hObject=0x1dc) returned 1 [0079.255] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0079.255] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0079.255] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0079.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.255] lstrlenA (lpString="EMPTY") returned 5 [0079.255] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0079.256] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.256] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0079.256] CloseHandle (hObject=0x1d8) returned 1 [0079.256] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0079.256] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0079.257] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0079.257] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0079.257] lstrlenA (lpString="EMPTY") returned 5 [0079.257] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0079.259] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.259] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.259] CloseHandle (hObject=0x1d4) returned 1 [0079.259] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0079.259] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Windows") returned -1 [0079.259] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files") returned -1 [0079.259] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0079.259] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0079.259] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="System Volume Information") returned -1 [0079.259] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 83 [0079.259] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0079.259] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0079.259] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned 85 [0079.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0079.259] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.260] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.260] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.260] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\.") returned 85 [0079.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.260] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.260] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.260] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.260] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.260] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.260] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.260] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\..") returned 86 [0079.260] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.260] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.260] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0079.260] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0079.260] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0079.260] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0079.260] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0079.260] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 92 [0079.260] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0079.260] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0079.260] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned 94 [0079.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0079.261] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.261] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.261] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.261] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.261] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.261] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\.") returned 94 [0079.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.261] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0079.261] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.261] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.261] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.261] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.261] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.261] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\..") returned 95 [0079.261] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.262] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0079.262] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0079.262] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0079.262] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0079.262] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0079.262] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0079.262] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned 118 [0079.262] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0079.262] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0079.262] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*") returned 120 [0079.262] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0079.262] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.262] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.262] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.262] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.262] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.262] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\.") returned 120 [0079.262] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.262] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0079.262] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.262] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.262] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.262] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.262] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.263] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\..") returned 121 [0079.263] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.263] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.263] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0079.263] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0079.263] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0079.263] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0079.263] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0079.263] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0079.263] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0079.263] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0079.263] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0079.263] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0079.263] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0079.263] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0079.281] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0079.281] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0079.281] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0079.281] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0079.281] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0079.281] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0079.281] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.339] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.339] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.339] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.339] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0079.363] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0079.363] CloseHandle (hObject=0x1e0) returned 1 [0079.364] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected") returned 137 [0079.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.protected")) returned 1 [0079.364] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0079.364] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0079.364] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0079.364] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0079.364] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0079.364] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0079.364] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0079.364] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".protected") returned 0x0 [0079.364] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.364] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0079.364] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0079.364] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0079.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0079.365] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0079.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0079.365] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".rar") returned 0x0 [0079.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0079.365] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".zip") returned 0x0 [0079.365] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.369] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.369] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0079.370] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.370] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0079.370] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0079.370] CloseHandle (hObject=0x1e0) returned 1 [0079.406] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected") returned 157 [0079.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.protected" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.protected")) returned 1 [0079.407] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0079.407] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0079.408] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 148 [0079.408] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0079.524] lstrlenA (lpString="EMPTY") returned 5 [0079.524] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0079.525] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.525] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0079.525] CloseHandle (hObject=0x1dc) returned 1 [0079.525] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0079.525] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0079.525] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0079.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.526] lstrlenA (lpString="EMPTY") returned 5 [0079.526] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0079.526] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.526] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0079.527] CloseHandle (hObject=0x1d8) returned 1 [0079.527] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0079.527] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0079.527] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 113 [0079.527] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0079.527] lstrlenA (lpString="EMPTY") returned 5 [0079.527] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0079.528] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.528] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.528] CloseHandle (hObject=0x1d4) returned 1 [0079.528] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0079.528] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Windows") returned -1 [0079.528] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files") returned -1 [0079.528] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files (x86)") returned -1 [0079.528] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$Recycle.bin") returned 1 [0079.528] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="System Volume Information") returned -1 [0079.528] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 71 [0079.529] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0079.529] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0079.529] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*") returned 73 [0079.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0079.529] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.529] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.529] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.529] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.529] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.529] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\.") returned 73 [0079.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.529] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.529] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.529] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.529] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.529] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.529] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.529] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\..") returned 74 [0079.529] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.529] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.529] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0079.529] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0079.529] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0079.529] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0079.529] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0079.529] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0079.530] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0079.530] lstrcmpW (lpString1="state.rsm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.530] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0079.530] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0079.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0079.530] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0079.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0079.530] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0079.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0079.530] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0079.530] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2fe, lpOverlapped=0x0) returned 1 [0079.604] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.604] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2fe, lpOverlapped=0x0) returned 1 [0079.604] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.605] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0079.605] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0079.605] CloseHandle (hObject=0x1d8) returned 1 [0079.605] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.protected") returned 91 [0079.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.protected")) returned 1 [0079.606] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.606] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Windows") returned -1 [0079.606] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files") returned 1 [0079.606] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files (x86)") returned 1 [0079.606] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$Recycle.bin") returned 1 [0079.606] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="System Volume Information") returned 1 [0079.606] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0079.606] StrStrIW (lpFirst="VC_redist.x64.exe", lpSrch=".protected") returned 0x0 [0079.606] lstrcmpW (lpString1="VC_redist.x64.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.606] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0079.606] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0079.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.606] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0079.606] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".txt") returned 0x0 [0079.606] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0079.606] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".rar") returned 0x0 [0079.606] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0079.606] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".zip") returned 0x0 [0079.606] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0079.637] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.637] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0079.637] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.638] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0079.701] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0079.702] CloseHandle (hObject=0x1d8) returned 1 [0079.702] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.protected") returned 99 [0079.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.protected" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.protected")) returned 1 [0079.703] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0079.703] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0079.703] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0079.703] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0079.912] lstrlenA (lpString="EMPTY") returned 5 [0079.912] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0079.913] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.913] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.913] CloseHandle (hObject=0x1d4) returned 1 [0079.913] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0079.913] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Windows") returned -1 [0079.913] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files") returned -1 [0079.913] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files (x86)") returned -1 [0079.913] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$Recycle.bin") returned 1 [0079.913] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="System Volume Information") returned -1 [0079.913] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 71 [0079.913] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0079.913] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0079.913] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned 73 [0079.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0079.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.914] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.914] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\.") returned 73 [0079.914] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.914] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.914] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.914] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.914] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.914] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.914] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.914] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\..") returned 74 [0079.915] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.915] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.915] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.915] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0079.915] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0079.915] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0079.915] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0079.915] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0079.915] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0079.915] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0079.915] lstrcmpW (lpString1="state.rsm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.915] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0079.915] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0079.915] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.915] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0079.916] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0079.916] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0079.916] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0079.916] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0079.916] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0079.916] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x29a, lpOverlapped=0x0) returned 1 [0079.916] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.917] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x29a, lpOverlapped=0x0) returned 1 [0079.917] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.917] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0079.917] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0079.917] CloseHandle (hObject=0x1d8) returned 1 [0079.918] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.protected") returned 91 [0079.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.protected")) returned 1 [0079.927] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.927] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0079.927] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0079.928] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0079.928] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0079.928] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0079.928] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0079.928] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch=".protected") returned 0x0 [0079.928] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.928] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0079.928] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0079.928] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.929] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0079.929] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".txt") returned 0x0 [0079.929] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0079.929] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".rar") returned 0x0 [0079.929] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0079.929] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".zip") returned 0x0 [0079.929] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0079.941] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.941] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0079.942] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.942] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0079.962] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0079.962] CloseHandle (hObject=0x1d8) returned 1 [0079.962] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.protected") returned 98 [0079.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.protected" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.protected")) returned 1 [0079.963] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0079.963] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0079.963] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0079.963] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0079.972] lstrlenA (lpString="EMPTY") returned 5 [0079.972] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0079.972] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0079.972] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0079.972] CloseHandle (hObject=0x1d4) returned 1 [0079.973] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0079.973] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Windows") returned -1 [0079.973] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files") returned -1 [0079.973] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files (x86)") returned -1 [0079.973] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$Recycle.bin") returned 1 [0079.973] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="System Volume Information") returned -1 [0079.973] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 71 [0079.973] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0079.973] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0079.973] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*") returned 73 [0079.973] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0079.973] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.973] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.973] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.973] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.974] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.974] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\.") returned 73 [0079.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.974] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.974] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.974] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.974] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.974] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.974] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.974] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\..") returned 74 [0079.974] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.974] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.974] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0079.974] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0079.974] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0079.974] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0079.974] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0079.974] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0079.974] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0079.974] StrStrIW (lpFirst="state.rsm", lpSrch=".protected") returned 0x0 [0079.974] lstrcmpW (lpString1="state.rsm", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0079.974] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0079.975] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0079.975] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0079.975] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0079.975] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0079.975] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0079.975] StrStrW (lpFirst="state.rsm", lpSrch=".rar") returned 0x0 [0079.975] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0079.975] StrStrW (lpFirst="state.rsm", lpSrch=".zip") returned 0x0 [0079.975] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2fe, lpOverlapped=0x0) returned 1 [0080.004] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.004] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2fe, lpOverlapped=0x0) returned 1 [0080.004] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.004] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0080.005] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0080.005] CloseHandle (hObject=0x1d8) returned 1 [0080.005] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.protected") returned 91 [0080.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.protected" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.protected")) returned 1 [0080.006] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.006] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Windows") returned -1 [0080.006] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files") returned 1 [0080.006] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files (x86)") returned 1 [0080.006] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$Recycle.bin") returned 1 [0080.006] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="System Volume Information") returned 1 [0080.006] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0080.006] StrStrIW (lpFirst="VC_redist.x86.exe", lpSrch=".protected") returned 0x0 [0080.006] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0080.006] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0080.006] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0080.006] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0080.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0080.006] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".txt") returned 0x0 [0080.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0080.006] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".rar") returned 0x0 [0080.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0080.006] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".zip") returned 0x0 [0080.006] ReadFile (in: hFile=0x1d8, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0080.038] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.038] WriteFile (in: hFile=0x1d8, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eee78*=0x2800, lpOverlapped=0x0) returned 1 [0080.039] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.040] WriteFile (in: hFile=0x1d8, lpBuffer=0x2eeea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x2eeea4*, lpNumberOfBytesWritten=0x2eee78*=0x4, lpOverlapped=0x0) returned 1 [0080.113] WriteFile (in: hFile=0x1d8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eee78, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eee78*=0x30, lpOverlapped=0x0) returned 1 [0080.114] CloseHandle (hObject=0x1d8) returned 1 [0080.114] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.protected") returned 99 [0080.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.protected" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.protected")) returned 1 [0080.115] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0080.115] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0080.115] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 101 [0080.115] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0080.157] lstrlenA (lpString="EMPTY") returned 5 [0080.157] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0080.158] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.158] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.158] CloseHandle (hObject=0x1d4) returned 1 [0080.158] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.158] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Windows") returned -1 [0080.158] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files") returned -1 [0080.158] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0080.158] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0080.158] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="System Volume Information") returned -1 [0080.158] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 82 [0080.158] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0080.158] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0080.158] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned 84 [0080.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0080.159] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.159] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.159] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.159] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\.") returned 84 [0080.159] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.159] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.159] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.159] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.159] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.159] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\..") returned 85 [0080.159] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.159] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.159] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.159] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.159] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.159] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.159] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.159] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.159] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 91 [0080.159] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.159] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.159] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned 93 [0080.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0080.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.160] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\.") returned 93 [0080.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.160] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0080.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.160] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\..") returned 94 [0080.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.160] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0080.160] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0080.160] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0080.160] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0080.160] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0080.160] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0080.160] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 115 [0080.160] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0080.160] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0080.160] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned 117 [0080.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0080.161] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.161] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.161] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.161] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.161] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.161] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\.") returned 117 [0080.161] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.161] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0080.161] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.161] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.161] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.161] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.161] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.161] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\..") returned 118 [0080.161] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.161] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.161] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0080.161] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.161] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.161] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.161] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.161] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.162] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0080.162] StrStrIW (lpFirst="cab1.cab", lpSrch=".protected") returned 0x0 [0080.162] lstrcmpW (lpString1="cab1.cab", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.162] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0080.162] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0080.162] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0080.162] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0080.162] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0080.162] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0080.162] StrStrW (lpFirst="cab1.cab", lpSrch=".rar") returned 0x0 [0080.162] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0080.162] StrStrW (lpFirst="cab1.cab", lpSrch=".zip") returned 0x0 [0080.162] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0080.202] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.202] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0080.202] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.202] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0080.212] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0080.212] CloseHandle (hObject=0x1e0) returned 1 [0080.220] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected") returned 134 [0080.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.protected" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.protected")) returned 1 [0080.220] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0080.220] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0080.220] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0080.220] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0080.220] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0080.220] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0080.220] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0080.221] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".protected") returned 0x0 [0080.221] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0080.221] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee8b8 | out: pbBuffer=0x2ee8b8) returned 1 [0080.221] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee8ac*=0x30) returned 1 [0080.221] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0080.221] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0080.221] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0080.221] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0080.221] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".rar") returned 0x0 [0080.221] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0080.221] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".zip") returned 0x0 [0080.221] ReadFile (in: hFile=0x1e0, lpBuffer=0x60b7b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesRead=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0080.247] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.247] WriteFile (in: hFile=0x1e0, lpBuffer=0x60b7b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x60b7b0*, lpNumberOfBytesWritten=0x2ee888*=0x2800, lpOverlapped=0x0) returned 1 [0080.248] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.248] WriteFile (in: hFile=0x1e0, lpBuffer=0x2ee8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x2ee8b4*, lpNumberOfBytesWritten=0x2ee888*=0x4, lpOverlapped=0x0) returned 1 [0080.248] WriteFile (in: hFile=0x1e0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee888, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee888*=0x30, lpOverlapped=0x0) returned 1 [0080.248] CloseHandle (hObject=0x1e0) returned 1 [0080.249] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected") returned 154 [0080.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.protected" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.protected")) returned 1 [0080.249] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0080.249] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0080.250] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 145 [0080.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0080.267] lstrlenA (lpString="EMPTY") returned 5 [0080.267] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0080.268] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.268] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0080.268] CloseHandle (hObject=0x1dc) returned 1 [0080.268] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0080.268] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0080.268] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 121 [0080.268] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0080.269] lstrlenA (lpString="EMPTY") returned 5 [0080.269] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0080.270] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.270] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0080.270] CloseHandle (hObject=0x1d8) returned 1 [0080.270] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0080.270] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0080.270] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0080.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0080.271] lstrlenA (lpString="EMPTY") returned 5 [0080.271] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0080.271] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.271] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.271] CloseHandle (hObject=0x1d4) returned 1 [0080.271] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0080.271] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0080.271] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 62 [0080.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\package cache\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0080.272] lstrlenA (lpString="EMPTY") returned 5 [0080.272] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0080.273] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.273] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0080.273] CloseHandle (hObject=0x1d0) returned 1 [0080.273] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.273] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0080.273] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0080.273] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0080.273] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0080.273] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0080.273] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu") returned 29 [0080.273] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0080.273] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0080.273] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu\\*") returned 31 [0080.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0xffffffff [0080.273] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.273] lstrcmpiW (lpString1="Sun", lpString2="Windows") returned -1 [0080.273] lstrcmpiW (lpString1="Sun", lpString2="Program Files") returned 1 [0080.273] lstrcmpiW (lpString1="Sun", lpString2="Program Files (x86)") returned 1 [0080.273] lstrcmpiW (lpString1="Sun", lpString2="$Recycle.bin") returned 1 [0080.273] lstrcmpiW (lpString1="Sun", lpString2="System Volume Information") returned -1 [0080.273] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun") returned 22 [0080.273] lstrcmpW (lpString1="Sun", lpString2=".") returned 1 [0080.274] lstrcmpW (lpString1="Sun", lpString2="..") returned 1 [0080.274] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\*") returned 24 [0080.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0080.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.274] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.274] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.274] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\.") returned 24 [0080.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.274] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.275] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\..") returned 25 [0080.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.275] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.275] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0080.275] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0080.275] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0080.275] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0080.275] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0080.275] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java") returned 27 [0080.275] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0080.275] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0080.275] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\*") returned 29 [0080.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0080.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.275] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\.") returned 29 [0080.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.275] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.276] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.276] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.276] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.276] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\..") returned 30 [0080.276] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.276] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.276] lstrcmpiW (lpString1="Java Update", lpString2="Windows") returned -1 [0080.276] lstrcmpiW (lpString1="Java Update", lpString2="Program Files") returned -1 [0080.276] lstrcmpiW (lpString1="Java Update", lpString2="Program Files (x86)") returned -1 [0080.276] lstrcmpiW (lpString1="Java Update", lpString2="$Recycle.bin") returned 1 [0080.276] lstrcmpiW (lpString1="Java Update", lpString2="System Volume Information") returned -1 [0080.276] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update") returned 39 [0080.276] lstrcmpW (lpString1="Java Update", lpString2=".") returned 1 [0080.276] lstrcmpW (lpString1="Java Update", lpString2="..") returned 1 [0080.276] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*") returned 41 [0080.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0080.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.276] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\.") returned 41 [0080.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.276] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0080.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.277] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.277] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.277] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.277] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\..") returned 42 [0080.277] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.277] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0080.277] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Windows") returned -1 [0080.277] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files") returned -1 [0080.277] lstrcmpiW (lpString1="jaureglist.xml", lpString2="Program Files (x86)") returned -1 [0080.277] lstrcmpiW (lpString1="jaureglist.xml", lpString2="$Recycle.bin") returned 1 [0080.277] lstrcmpiW (lpString1="jaureglist.xml", lpString2="System Volume Information") returned -1 [0080.277] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0080.277] StrStrIW (lpFirst="jaureglist.xml", lpSrch=".protected") returned 0x0 [0080.277] lstrcmpW (lpString1="jaureglist.xml", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0080.277] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0080.277] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0080.277] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0080.277] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0080.277] StrStrW (lpFirst="jaureglist.xml", lpSrch=".txt") returned 0x0 [0080.277] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0080.277] StrStrW (lpFirst="jaureglist.xml", lpSrch=".rar") returned 0x0 [0080.277] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0080.277] StrStrW (lpFirst="jaureglist.xml", lpSrch=".zip") returned 0x0 [0080.278] ReadFile (in: hFile=0x1dc, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2eeb80*=0x77, lpOverlapped=0x0) returned 1 [0080.278] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.278] WriteFile (in: hFile=0x1dc, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x77, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2eeb80*=0x77, lpOverlapped=0x0) returned 1 [0080.278] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.279] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0080.279] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0080.279] CloseHandle (hObject=0x1dc) returned 1 [0080.279] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.protected") returned 64 [0080.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.protected" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml.protected")) returned 1 [0080.279] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0 [0080.279] FindClose (in: hFindFile=0x5573b0 | out: hFindFile=0x5573b0) returned 1 [0080.279] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 69 [0080.279] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\sun\\java\\java update\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0080.280] lstrlenA (lpString="EMPTY") returned 5 [0080.280] WriteFile (in: hFile=0x1d8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eeb8c*=0x5, lpOverlapped=0x0) returned 1 [0080.280] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.281] WriteFile (in: hFile=0x1d8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eeb8c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eeb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0080.281] CloseHandle (hObject=0x1d8) returned 1 [0080.281] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0 [0080.281] FindClose (in: hFindFile=0x557370 | out: hFindFile=0x557370) returned 1 [0080.281] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 57 [0080.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\sun\\java\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0080.282] lstrlenA (lpString="EMPTY") returned 5 [0080.282] WriteFile (in: hFile=0x1d4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2eee84*=0x5, lpOverlapped=0x0) returned 1 [0080.282] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.282] WriteFile (in: hFile=0x1d4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2eee84, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2eee84*=0x2ac, lpOverlapped=0x0) returned 1 [0080.283] CloseHandle (hObject=0x1d4) returned 1 [0080.283] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0080.283] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0080.283] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 52 [0080.283] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\sun\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0080.283] lstrlenA (lpString="EMPTY") returned 5 [0080.283] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0080.284] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.284] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0080.284] CloseHandle (hObject=0x1d0) returned 1 [0080.284] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.284] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0080.284] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0080.284] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0080.284] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0080.284] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0080.285] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates") returned 28 [0080.285] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0080.285] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0080.285] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates\\*") returned 30 [0080.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0xffffffff [0080.285] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0 [0080.285] FindClose (in: hFindFile=0x5572f0 | out: hFindFile=0x5572f0) returned 1 [0080.285] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 48 [0080.285] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\programdata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0080.285] lstrlenA (lpString="EMPTY") returned 5 [0080.285] WriteFile (in: hFile=0x1cc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef474*=0x5, lpOverlapped=0x0) returned 1 [0080.286] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.286] WriteFile (in: hFile=0x1cc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef474*=0x2ac, lpOverlapped=0x0) returned 1 [0080.286] CloseHandle (hObject=0x1cc) returned 1 [0080.287] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0080.287] lstrcmpiW (lpString1="Recovery", lpString2="Windows") returned -1 [0080.287] lstrcmpiW (lpString1="Recovery", lpString2="Program Files") returned 1 [0080.287] lstrcmpiW (lpString1="Recovery", lpString2="Program Files (x86)") returned 1 [0080.287] lstrcmpiW (lpString1="Recovery", lpString2="$Recycle.bin") returned 1 [0080.287] lstrcmpiW (lpString1="Recovery", lpString2="System Volume Information") returned -1 [0080.287] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery") returned 15 [0080.287] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0080.287] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0080.287] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Recovery\\*") returned 17 [0080.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0080.288] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.288] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.288] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.288] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.288] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.288] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\.") returned 17 [0080.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.288] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0080.288] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.288] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0080.288] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0080.288] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\." (normalized: "c:\\recovery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.288] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.288] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.288] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.288] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.288] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.288] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.288] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\..") returned 18 [0080.288] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.288] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0080.288] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.289] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0080.289] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0080.289] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.289] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.289] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Windows") returned -1 [0080.289] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Program Files") returned -1 [0080.289] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="Program Files (x86)") returned -1 [0080.289] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="$Recycle.bin") returned 1 [0080.289] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="System Volume Information") returned -1 [0080.289] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 52 [0080.289] lstrcmpW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2=".") returned 1 [0080.289] lstrcmpW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="..") returned 1 [0080.289] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*") returned 54 [0080.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0080.289] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.289] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.289] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.289] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.289] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.289] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\.") returned 54 [0080.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.289] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0080.289] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.289] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0080.290] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0080.290] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\." (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.290] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.290] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.290] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.290] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.290] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.290] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.290] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\..") returned 55 [0080.290] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.290] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0080.290] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.290] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0080.290] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0080.290] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\.." (normalized: "c:\\recovery"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.290] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.290] lstrcmpiW (lpString1="boot.sdi", lpString2="Windows") returned -1 [0080.290] lstrcmpiW (lpString1="boot.sdi", lpString2="Program Files") returned -1 [0080.290] lstrcmpiW (lpString1="boot.sdi", lpString2="Program Files (x86)") returned -1 [0080.290] lstrcmpiW (lpString1="boot.sdi", lpString2="$Recycle.bin") returned 1 [0080.290] lstrcmpiW (lpString1="boot.sdi", lpString2="System Volume Information") returned -1 [0080.290] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0080.290] StrStrIW (lpFirst="boot.sdi", lpSrch=".protected") returned 0x0 [0080.290] lstrcmpW (lpString1="boot.sdi", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.290] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0080.290] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0080.291] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0080.291] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0080.291] StrStrW (lpFirst="boot.sdi", lpSrch=".txt") returned 0x0 [0080.291] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0080.291] StrStrW (lpFirst="boot.sdi", lpSrch=".rar") returned 0x0 [0080.291] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0080.291] StrStrW (lpFirst="boot.sdi", lpSrch=".zip") returned 0x0 [0080.291] ReadFile (in: hFile=0x1d4, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2ef170*=0x2800, lpOverlapped=0x0) returned 1 [0080.322] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.322] WriteFile (in: hFile=0x1d4, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2ef170*=0x2800, lpOverlapped=0x0) returned 1 [0080.323] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.324] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0080.325] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0080.325] CloseHandle (hObject=0x1d4) returned 1 [0080.359] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.protected") returned 71 [0080.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.protected" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.protected")) returned 1 [0080.359] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.359] lstrcmpiW (lpString1="Winre.wim", lpString2="Windows") returned 1 [0080.359] lstrcmpiW (lpString1="Winre.wim", lpString2="Program Files") returned 1 [0080.359] lstrcmpiW (lpString1="Winre.wim", lpString2="Program Files (x86)") returned 1 [0080.359] lstrcmpiW (lpString1="Winre.wim", lpString2="$Recycle.bin") returned 1 [0080.359] lstrcmpiW (lpString1="Winre.wim", lpString2="System Volume Information") returned 1 [0080.359] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0080.359] StrStrIW (lpFirst="Winre.wim", lpSrch=".protected") returned 0x0 [0080.359] lstrcmpW (lpString1="Winre.wim", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0080.359] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef1a0 | out: pbBuffer=0x2ef1a0) returned 1 [0080.359] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef194*=0x30) returned 1 [0080.359] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0080.361] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0080.361] StrStrW (lpFirst="Winre.wim", lpSrch=".txt") returned 0x0 [0080.361] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0080.361] StrStrW (lpFirst="Winre.wim", lpSrch=".rar") returned 0x0 [0080.361] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0080.361] StrStrW (lpFirst="Winre.wim", lpSrch=".zip") returned 0x0 [0080.361] ReadFile (in: hFile=0x1d4, lpBuffer=0x60a7a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesRead=0x2ef170*=0x2800, lpOverlapped=0x0) returned 1 [0080.407] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.407] WriteFile (in: hFile=0x1d4, lpBuffer=0x60a7a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x60a7a8*, lpNumberOfBytesWritten=0x2ef170*=0x2800, lpOverlapped=0x0) returned 1 [0080.407] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.407] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ef19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x2ef19c*, lpNumberOfBytesWritten=0x2ef170*=0x4, lpOverlapped=0x0) returned 1 [0080.432] WriteFile (in: hFile=0x1d4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ef170, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ef170*=0x30, lpOverlapped=0x0) returned 1 [0080.432] CloseHandle (hObject=0x1d4) returned 1 [0080.441] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.protected") returned 72 [0080.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.protected" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.protected")) returned 1 [0080.442] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0 [0080.442] FindClose (in: hFindFile=0x557330 | out: hFindFile=0x557330) returned 1 [0080.442] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 82 [0080.442] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0080.529] lstrlenA (lpString="EMPTY") returned 5 [0080.529] WriteFile (in: hFile=0x1d0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef17c*=0x5, lpOverlapped=0x0) returned 1 [0080.530] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.530] WriteFile (in: hFile=0x1d0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef17c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef17c*=0x2ac, lpOverlapped=0x0) returned 1 [0080.530] CloseHandle (hObject=0x1d0) returned 1 [0080.530] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0 [0080.530] FindClose (in: hFindFile=0x5572f0 | out: hFindFile=0x5572f0) returned 1 [0080.530] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 45 [0080.530] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\recovery\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0080.531] lstrlenA (lpString="EMPTY") returned 5 [0080.531] WriteFile (in: hFile=0x1cc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ef474*=0x5, lpOverlapped=0x0) returned 1 [0080.531] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.531] WriteFile (in: hFile=0x1cc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ef474, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ef474*=0x2ac, lpOverlapped=0x0) returned 1 [0080.533] CloseHandle (hObject=0x1cc) returned 1 [0080.533] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0080.533] lstrcmpiW (lpString1="System Volume Information", lpString2="Windows") returned -1 [0080.533] lstrcmpiW (lpString1="System Volume Information", lpString2="Program Files") returned 1 [0080.533] lstrcmpiW (lpString1="System Volume Information", lpString2="Program Files (x86)") returned 1 [0080.533] lstrcmpiW (lpString1="System Volume Information", lpString2="$Recycle.bin") returned 1 [0080.533] lstrcmpiW (lpString1="System Volume Information", lpString2="System Volume Information") returned 0 [0080.533] FindNextFileW (in: hFindFile=0x5571f0, lpFindFileData=0x2ef7f0 | out: lpFindFileData=0x2ef7f0) returned 1 [0080.533] lstrcmpiW (lpString1="Users", lpString2="Windows") returned -1 [0080.533] lstrcmpiW (lpString1="Users", lpString2="Program Files") returned 1 [0080.533] lstrcmpiW (lpString1="Users", lpString2="Program Files (x86)") returned 1 [0080.533] lstrcmpiW (lpString1="Users", lpString2="$Recycle.bin") returned 1 [0080.533] lstrcmpiW (lpString1="Users", lpString2="System Volume Information") returned 1 [0080.533] wnsprintfW (in: pszDest=0x573520, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users") returned 12 [0080.533] lstrcmpW (lpString1="Users", lpString2=".") returned 1 [0080.533] lstrcmpW (lpString1="Users", lpString2="..") returned 1 [0080.533] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\*") returned 14 [0080.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 0x5572f0 [0080.533] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.533] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.533] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.534] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.534] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.534] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\.") returned 14 [0080.534] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.534] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0080.534] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.534] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0080.534] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0080.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\." (normalized: "c:\\users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.534] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.534] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.534] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.534] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.534] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.534] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.534] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\..") returned 15 [0080.534] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.534] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.534] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0080.534] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.534] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ef498 | out: pbBuffer=0x2ef498) returned 1 [0080.534] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ef48c*=0x30) returned 1 [0080.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.534] FindNextFileW (in: hFindFile=0x5572f0, lpFindFileData=0x2ef4f8 | out: lpFindFileData=0x2ef4f8) returned 1 [0080.534] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Windows") returned -1 [0080.534] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Program Files") returned -1 [0080.534] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="Program Files (x86)") returned -1 [0080.534] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="$Recycle.bin") returned 1 [0080.535] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="System Volume Information") returned -1 [0080.535] wnsprintfW (in: pszDest=0x5fa760, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 33 [0080.535] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2=".") returned 1 [0080.535] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="..") returned 1 [0080.535] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 35 [0080.535] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 0x557330 [0080.535] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.535] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.535] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.535] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\.") returned 35 [0080.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.535] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.535] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\..") returned 36 [0080.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.535] FindNextFileW (in: hFindFile=0x557330, lpFindFileData=0x2ef200 | out: lpFindFileData=0x2ef200) returned 1 [0080.535] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0080.535] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0080.535] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0080.535] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0080.535] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0080.535] wnsprintfW (in: pszDest=0x583568, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData") returned 41 [0080.535] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0080.536] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0080.536] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*") returned 43 [0080.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*", lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 0x557370 [0080.536] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.536] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.536] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.536] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.536] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.536] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\.") returned 43 [0080.536] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.536] StrStrIW (lpFirst=".", lpSrch=".protected") returned 0x0 [0080.536] lstrcmpW (lpString1=".", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.536] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0080.536] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0080.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.537] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.537] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.537] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.537] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.537] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.537] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.537] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\..") returned 44 [0080.537] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.537] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.537] StrStrIW (lpFirst="..", lpSrch=".protected") returned 0x0 [0080.537] lstrcmpW (lpString1="..", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.537] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eeea8 | out: pbBuffer=0x2eeea8) returned 1 [0080.537] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eee9c*=0x30) returned 1 [0080.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.537] FindNextFileW (in: hFindFile=0x557370, lpFindFileData=0x2eef08 | out: lpFindFileData=0x2eef08) returned 1 [0080.537] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0080.537] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0080.537] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0080.537] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0080.538] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0080.538] wnsprintfW (in: pszDest=0x5935b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 47 [0080.538] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0080.538] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0080.538] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*") returned 49 [0080.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*", lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 0x5573b0 [0080.538] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.538] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.538] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.538] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.538] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.538] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\.") returned 49 [0080.538] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.538] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0080.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.539] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.539] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.539] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\..") returned 50 [0080.539] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.539] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.539] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0080.539] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0080.539] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0080.539] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0080.539] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0080.539] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0080.539] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe") returned 53 [0080.539] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0080.539] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0080.539] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*") returned 55 [0080.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0080.539] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.539] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.539] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.539] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.539] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.539] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\.") returned 55 [0080.539] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.539] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0080.539] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.539] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.540] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.540] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.540] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.540] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\..") returned 56 [0080.540] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.540] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.540] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0080.540] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0080.540] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0080.540] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0080.540] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0080.540] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0080.540] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat") returned 61 [0080.540] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0080.540] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0080.541] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*") returned 63 [0080.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0080.541] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.541] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.541] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.541] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.541] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\.") returned 63 [0080.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.541] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0080.541] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.541] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.541] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.541] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\..") returned 64 [0080.541] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.541] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0080.541] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0080.541] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0080.541] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0080.541] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0080.541] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0080.541] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0") returned 66 [0080.541] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0080.541] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0080.542] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*") returned 68 [0080.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0x557470 [0080.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.543] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\.") returned 68 [0080.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.543] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0080.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.543] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\..") returned 69 [0080.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.543] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0080.543] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Windows") returned -1 [0080.543] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Program Files") returned -1 [0080.543] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="Program Files (x86)") returned -1 [0080.543] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="$Recycle.bin") returned 1 [0080.543] lstrcmpiW (lpString1="AdobeCMapFnt10.lst", lpString2="System Volume Information") returned -1 [0080.543] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0080.543] StrStrIW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".protected") returned 0x0 [0080.543] lstrcmpW (lpString1="AdobeCMapFnt10.lst", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.543] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0080.543] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0080.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0080.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0080.544] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".txt") returned 0x0 [0080.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0080.544] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".rar") returned 0x0 [0080.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0080.544] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".zip") returned 0x0 [0080.544] ReadFile (in: hFile=0x1e8, lpBuffer=0x60d7c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x60d7c0*, lpNumberOfBytesRead=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0080.608] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.608] WriteFile (in: hFile=0x1e8, lpBuffer=0x60d7c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x60d7c0*, lpNumberOfBytesWritten=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0080.608] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.608] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0080.610] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0080.610] CloseHandle (hObject=0x1e8) returned 1 [0080.610] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.protected") returned 95 [0080.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst.protected")) returned 1 [0080.610] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0080.610] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Windows") returned -1 [0080.610] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Program Files") returned -1 [0080.611] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="Program Files (x86)") returned -1 [0080.611] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="$Recycle.bin") returned 1 [0080.611] lstrcmpiW (lpString1="AdobeSysFnt10.lst", lpString2="System Volume Information") returned -1 [0080.611] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0080.611] StrStrIW (lpFirst="AdobeSysFnt10.lst", lpSrch=".protected") returned 0x0 [0080.611] lstrcmpW (lpString1="AdobeSysFnt10.lst", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.611] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0080.611] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0080.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0080.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0080.611] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".txt") returned 0x0 [0080.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0080.611] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".rar") returned 0x0 [0080.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0080.611] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".zip") returned 0x0 [0080.612] ReadFile (in: hFile=0x1e8, lpBuffer=0x60d7c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x60d7c0*, lpNumberOfBytesRead=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0080.628] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.628] WriteFile (in: hFile=0x1e8, lpBuffer=0x60d7c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x60d7c0*, lpNumberOfBytesWritten=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0080.629] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.629] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0080.654] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0080.655] CloseHandle (hObject=0x1e8) returned 1 [0080.655] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.protected") returned 94 [0080.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst.protected")) returned 1 [0080.655] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0080.655] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0080.655] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0080.655] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0080.655] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0080.655] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0080.656] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache") returned 72 [0080.656] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0080.656] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0080.656] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*") returned 74 [0080.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\*", lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0x5574b0 [0080.656] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.656] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.656] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.656] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.656] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.656] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\.") returned 74 [0080.656] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.656] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0080.656] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.656] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.656] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.656] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.656] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.656] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\..") returned 75 [0080.656] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.656] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.656] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0080.656] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Windows") returned -1 [0080.656] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Program Files") returned -1 [0080.656] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="Program Files (x86)") returned -1 [0080.656] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="$Recycle.bin") returned 1 [0080.656] lstrcmpiW (lpString1="AcroFnt10.lst", lpString2="System Volume Information") returned -1 [0080.657] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0080.657] StrStrIW (lpFirst="AcroFnt10.lst", lpSrch=".protected") returned 0x0 [0080.657] lstrcmpW (lpString1="AcroFnt10.lst", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.657] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0080.657] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0080.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0080.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0080.657] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".txt") returned 0x0 [0080.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0080.657] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".rar") returned 0x0 [0080.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0080.657] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".zip") returned 0x0 [0080.657] ReadFile (in: hFile=0x1ec, lpBuffer=0x60e7c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x60e7c8*, lpNumberOfBytesRead=0x2edfa0*=0x2800, lpOverlapped=0x0) returned 1 [0080.751] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.751] WriteFile (in: hFile=0x1ec, lpBuffer=0x60e7c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x60e7c8*, lpNumberOfBytesWritten=0x2edfa0*=0x2800, lpOverlapped=0x0) returned 1 [0080.752] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.752] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0080.752] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0080.752] CloseHandle (hObject=0x1ec) returned 1 [0080.753] wnsprintfW (in: pszDest=0x60e7c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.protected") returned 96 [0080.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst.protected")) returned 1 [0080.753] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0 [0080.753] FindClose (in: hFindFile=0x5574b0 | out: hFindFile=0x5574b0) returned 1 [0080.754] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 102 [0080.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0080.754] lstrlenA (lpString="EMPTY") returned 5 [0080.754] WriteFile (in: hFile=0x1e8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edfac*=0x5, lpOverlapped=0x0) returned 1 [0080.755] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.755] WriteFile (in: hFile=0x1e8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edfac*=0x2ac, lpOverlapped=0x0) returned 1 [0080.755] CloseHandle (hObject=0x1e8) returned 1 [0080.756] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0080.756] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Windows") returned -1 [0080.756] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files") returned 1 [0080.756] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files (x86)") returned 1 [0080.756] lstrcmpiW (lpString1="SharedDataEvents", lpString2="$Recycle.bin") returned 1 [0080.756] lstrcmpiW (lpString1="SharedDataEvents", lpString2="System Volume Information") returned -1 [0080.756] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0080.756] StrStrIW (lpFirst="SharedDataEvents", lpSrch=".protected") returned 0x0 [0080.756] lstrcmpW (lpString1="SharedDataEvents", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0080.756] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0080.756] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0080.756] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0080.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0080.757] StrStrW (lpFirst="SharedDataEvents", lpSrch=".txt") returned 0x0 [0080.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0080.757] StrStrW (lpFirst="SharedDataEvents", lpSrch=".rar") returned 0x0 [0080.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0080.757] StrStrW (lpFirst="SharedDataEvents", lpSrch=".zip") returned 0x0 [0080.757] ReadFile (in: hFile=0x1e8, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2ee298*=0x1400, lpOverlapped=0x0) returned 1 [0080.783] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.783] WriteFile (in: hFile=0x1e8, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2ee298*=0x1400, lpOverlapped=0x0) returned 1 [0080.783] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.783] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0080.783] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0080.784] CloseHandle (hObject=0x1e8) returned 1 [0080.784] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.protected") returned 93 [0080.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents.protected")) returned 1 [0080.784] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0080.784] lstrcmpiW (lpString1="UserCache.bin", lpString2="Windows") returned -1 [0080.785] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files") returned 1 [0080.785] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files (x86)") returned 1 [0080.785] lstrcmpiW (lpString1="UserCache.bin", lpString2="$Recycle.bin") returned 1 [0080.785] lstrcmpiW (lpString1="UserCache.bin", lpString2="System Volume Information") returned 1 [0080.785] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0080.785] StrStrIW (lpFirst="UserCache.bin", lpSrch=".protected") returned 0x0 [0080.785] lstrcmpW (lpString1="UserCache.bin", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0080.785] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0080.785] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0080.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0080.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0080.785] StrStrW (lpFirst="UserCache.bin", lpSrch=".txt") returned 0x0 [0080.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0080.785] StrStrW (lpFirst="UserCache.bin", lpSrch=".rar") returned 0x0 [0080.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0080.785] StrStrW (lpFirst="UserCache.bin", lpSrch=".zip") returned 0x0 [0080.785] ReadFile (in: hFile=0x1e8, lpBuffer=0x5c7688, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesRead=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0080.820] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.820] WriteFile (in: hFile=0x1e8, lpBuffer=0x5c7688*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5c7688*, lpNumberOfBytesWritten=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0080.820] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.820] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0080.845] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0080.845] CloseHandle (hObject=0x1e8) returned 1 [0080.845] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.protected") returned 90 [0080.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin.protected")) returned 1 [0080.846] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0 [0080.846] FindClose (in: hFindFile=0x557470 | out: hFindFile=0x557470) returned 1 [0080.846] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 96 [0080.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0080.875] lstrlenA (lpString="EMPTY") returned 5 [0080.875] WriteFile (in: hFile=0x1e4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee2a4*=0x5, lpOverlapped=0x0) returned 1 [0080.876] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.876] WriteFile (in: hFile=0x1e4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee2a4*=0x2ac, lpOverlapped=0x0) returned 1 [0080.876] CloseHandle (hObject=0x1e4) returned 1 [0080.876] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0080.876] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0080.877] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 91 [0080.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0080.877] lstrlenA (lpString="EMPTY") returned 5 [0080.877] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0080.878] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0080.878] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0080.878] CloseHandle (hObject=0x1e0) returned 1 [0080.878] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0080.879] lstrcmpiW (lpString1="Color", lpString2="Windows") returned -1 [0080.879] lstrcmpiW (lpString1="Color", lpString2="Program Files") returned -1 [0080.879] lstrcmpiW (lpString1="Color", lpString2="Program Files (x86)") returned -1 [0080.879] lstrcmpiW (lpString1="Color", lpString2="$Recycle.bin") returned 1 [0080.879] lstrcmpiW (lpString1="Color", lpString2="System Volume Information") returned -1 [0080.879] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color") returned 59 [0080.879] lstrcmpW (lpString1="Color", lpString2=".") returned 1 [0080.879] lstrcmpW (lpString1="Color", lpString2="..") returned 1 [0080.879] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*") returned 61 [0080.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0080.879] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.879] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.879] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.879] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.879] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.879] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\.") returned 61 [0080.879] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.880] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0080.880] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.880] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.880] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.880] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.880] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.880] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\..") returned 62 [0080.880] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.880] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0080.880] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Windows") returned -1 [0080.880] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files") returned -1 [0080.880] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files (x86)") returned -1 [0080.880] lstrcmpiW (lpString1="ACECache11.lst", lpString2="$Recycle.bin") returned 1 [0080.880] lstrcmpiW (lpString1="ACECache11.lst", lpString2="System Volume Information") returned -1 [0080.880] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0080.880] StrStrIW (lpFirst="ACECache11.lst", lpSrch=".protected") returned 0x0 [0080.880] lstrcmpW (lpString1="ACECache11.lst", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0080.880] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee5c0 | out: pbBuffer=0x2ee5c0) returned 1 [0080.880] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee5b4*=0x30) returned 1 [0080.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0080.880] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0080.880] StrStrW (lpFirst="ACECache11.lst", lpSrch=".txt") returned 0x0 [0080.880] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0080.880] StrStrW (lpFirst="ACECache11.lst", lpSrch=".rar") returned 0x0 [0080.880] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0080.880] StrStrW (lpFirst="ACECache11.lst", lpSrch=".zip") returned 0x0 [0080.881] ReadFile (in: hFile=0x1e4, lpBuffer=0x61c800, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x61c800*, lpNumberOfBytesRead=0x2ee590*=0x49c, lpOverlapped=0x0) returned 1 [0081.077] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffffb64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.077] WriteFile (in: hFile=0x1e4, lpBuffer=0x61c800*, nNumberOfBytesToWrite=0x49c, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x61c800*, lpNumberOfBytesWritten=0x2ee590*=0x49c, lpOverlapped=0x0) returned 1 [0081.078] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.078] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ee5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x2ee5bc*, lpNumberOfBytesWritten=0x2ee590*=0x4, lpOverlapped=0x0) returned 1 [0081.078] WriteFile (in: hFile=0x1e4, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee590, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee590*=0x30, lpOverlapped=0x0) returned 1 [0081.078] CloseHandle (hObject=0x1e4) returned 1 [0081.079] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.protected") returned 84 [0081.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst.protected")) returned 1 [0081.079] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0081.079] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0081.079] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0081.079] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0081.079] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0081.079] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0081.079] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles") returned 68 [0081.079] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0081.080] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0081.080] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*") returned 70 [0081.080] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\*", lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0x557470 [0081.080] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.080] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.080] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.080] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\.") returned 70 [0081.081] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.081] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.081] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.081] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.081] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.081] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.081] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.081] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\..") returned 71 [0081.081] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.081] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.081] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.081] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Windows") returned 1 [0081.081] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files") returned 1 [0081.081] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files (x86)") returned 1 [0081.081] lstrcmpiW (lpString1="wscRGB.icc", lpString2="$Recycle.bin") returned 1 [0081.081] lstrcmpiW (lpString1="wscRGB.icc", lpString2="System Volume Information") returned 1 [0081.081] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0081.081] StrStrIW (lpFirst="wscRGB.icc", lpSrch=".protected") returned 0x0 [0081.081] lstrcmpW (lpString1="wscRGB.icc", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0081.081] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0081.081] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0081.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0081.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0081.082] StrStrW (lpFirst="wscRGB.icc", lpSrch=".txt") returned 0x0 [0081.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0081.082] StrStrW (lpFirst="wscRGB.icc", lpSrch=".rar") returned 0x0 [0081.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0081.082] StrStrW (lpFirst="wscRGB.icc", lpSrch=".zip") returned 0x0 [0081.082] ReadFile (in: hFile=0x1e8, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0081.111] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.111] WriteFile (in: hFile=0x1e8, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2ee298*=0x2800, lpOverlapped=0x0) returned 1 [0081.111] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.112] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0081.112] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0081.112] CloseHandle (hObject=0x1e8) returned 1 [0081.112] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.protected") returned 89 [0081.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc.protected")) returned 1 [0081.113] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.113] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Windows") returned 1 [0081.113] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files") returned 1 [0081.113] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files (x86)") returned 1 [0081.113] lstrcmpiW (lpString1="wsRGB.icc", lpString2="$Recycle.bin") returned 1 [0081.113] lstrcmpiW (lpString1="wsRGB.icc", lpString2="System Volume Information") returned 1 [0081.113] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0081.113] StrStrIW (lpFirst="wsRGB.icc", lpSrch=".protected") returned 0x0 [0081.113] lstrcmpW (lpString1="wsRGB.icc", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0081.113] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ee2c8 | out: pbBuffer=0x2ee2c8) returned 1 [0081.113] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ee2bc*=0x30) returned 1 [0081.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0081.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0081.114] StrStrW (lpFirst="wsRGB.icc", lpSrch=".txt") returned 0x0 [0081.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0081.114] StrStrW (lpFirst="wsRGB.icc", lpSrch=".rar") returned 0x0 [0081.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0081.114] StrStrW (lpFirst="wsRGB.icc", lpSrch=".zip") returned 0x0 [0081.114] ReadFile (in: hFile=0x1e8, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2ee298*=0xa74, lpOverlapped=0x0) returned 1 [0081.119] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffff58c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.119] WriteFile (in: hFile=0x1e8, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0xa74, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2ee298*=0xa74, lpOverlapped=0x0) returned 1 [0081.119] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.119] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ee2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x2ee2c4*, lpNumberOfBytesWritten=0x2ee298*=0x4, lpOverlapped=0x0) returned 1 [0081.119] WriteFile (in: hFile=0x1e8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ee298, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ee298*=0x30, lpOverlapped=0x0) returned 1 [0081.120] CloseHandle (hObject=0x1e8) returned 1 [0081.120] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.protected") returned 88 [0081.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc.protected")) returned 1 [0081.121] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0 [0081.121] FindClose (in: hFindFile=0x557470 | out: hFindFile=0x557470) returned 1 [0081.121] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 98 [0081.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0081.173] lstrlenA (lpString="EMPTY") returned 5 [0081.173] WriteFile (in: hFile=0x1e4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee2a4*=0x5, lpOverlapped=0x0) returned 1 [0081.174] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.174] WriteFile (in: hFile=0x1e4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee2a4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.174] CloseHandle (hObject=0x1e4) returned 1 [0081.175] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0081.175] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0081.176] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 89 [0081.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0081.177] lstrlenA (lpString="EMPTY") returned 5 [0081.177] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0081.177] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.177] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0081.177] CloseHandle (hObject=0x1e0) returned 1 [0081.178] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0081.178] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0081.178] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 83 [0081.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0081.179] lstrlenA (lpString="EMPTY") returned 5 [0081.179] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0081.179] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.179] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0081.180] CloseHandle (hObject=0x1dc) returned 1 [0081.180] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0081.180] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0081.180] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0081.180] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0081.180] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0081.180] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0081.180] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data") returned 64 [0081.180] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0081.181] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0081.181] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*") returned 66 [0081.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0xffffffff [0081.181] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0081.181] lstrcmpiW (lpString1="Apps", lpString2="Windows") returned -1 [0081.181] lstrcmpiW (lpString1="Apps", lpString2="Program Files") returned -1 [0081.181] lstrcmpiW (lpString1="Apps", lpString2="Program Files (x86)") returned -1 [0081.181] lstrcmpiW (lpString1="Apps", lpString2="$Recycle.bin") returned 1 [0081.181] lstrcmpiW (lpString1="Apps", lpString2="System Volume Information") returned -1 [0081.181] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps") returned 52 [0081.181] lstrcmpW (lpString1="Apps", lpString2=".") returned 1 [0081.181] lstrcmpW (lpString1="Apps", lpString2="..") returned 1 [0081.181] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*") returned 54 [0081.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0081.182] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.182] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.182] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.182] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.182] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\.") returned 54 [0081.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.182] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0081.182] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.182] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.182] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.182] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.183] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\..") returned 55 [0081.183] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.183] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.183] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0081.183] lstrcmpiW (lpString1="2.0", lpString2="Windows") returned -1 [0081.183] lstrcmpiW (lpString1="2.0", lpString2="Program Files") returned -1 [0081.183] lstrcmpiW (lpString1="2.0", lpString2="Program Files (x86)") returned -1 [0081.183] lstrcmpiW (lpString1="2.0", lpString2="$Recycle.bin") returned 1 [0081.183] lstrcmpiW (lpString1="2.0", lpString2="System Volume Information") returned -1 [0081.183] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0") returned 56 [0081.183] lstrcmpW (lpString1="2.0", lpString2=".") returned 1 [0081.183] lstrcmpW (lpString1="2.0", lpString2="..") returned 1 [0081.183] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*") returned 58 [0081.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0081.183] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.183] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.183] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.183] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.183] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.183] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\.") returned 58 [0081.183] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.183] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0081.184] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.184] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.184] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.184] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.184] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.184] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\..") returned 59 [0081.184] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.184] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.184] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0081.184] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0081.184] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0081.184] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0081.184] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0081.184] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0081.184] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data") returned 61 [0081.184] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0081.184] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0081.185] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*") returned 63 [0081.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*", lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0x557470 [0081.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.185] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.185] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.185] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.185] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.185] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\.") returned 63 [0081.185] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.185] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.186] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\..") returned 64 [0081.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.186] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.186] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Windows") returned -1 [0081.186] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Program Files") returned -1 [0081.186] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="Program Files (x86)") returned -1 [0081.186] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="$Recycle.bin") returned 1 [0081.186] lstrcmpiW (lpString1="CJW3O3KP.BX7", lpString2="System Volume Information") returned -1 [0081.186] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7") returned 74 [0081.186] lstrcmpW (lpString1="CJW3O3KP.BX7", lpString2=".") returned 1 [0081.186] lstrcmpW (lpString1="CJW3O3KP.BX7", lpString2="..") returned 1 [0081.186] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*") returned 76 [0081.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*", lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0x5574b0 [0081.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.186] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.186] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.186] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.187] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.187] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\.") returned 76 [0081.187] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.187] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0081.187] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.187] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.187] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.187] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.187] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.187] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\..") returned 77 [0081.187] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.187] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.187] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0081.187] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Windows") returned -1 [0081.187] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Program Files") returned -1 [0081.187] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="Program Files (x86)") returned -1 [0081.187] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="$Recycle.bin") returned 1 [0081.187] lstrcmpiW (lpString1="6NG60CXZ.9GJ", lpString2="System Volume Information") returned -1 [0081.187] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ") returned 87 [0081.187] lstrcmpW (lpString1="6NG60CXZ.9GJ", lpString2=".") returned 1 [0081.187] lstrcmpW (lpString1="6NG60CXZ.9GJ", lpString2="..") returned 1 [0081.187] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*") returned 89 [0081.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0081.188] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.188] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.188] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.188] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.188] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.188] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\.") returned 89 [0081.188] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.188] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.188] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.188] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.188] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.188] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.188] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.188] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\..") returned 90 [0081.188] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.188] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.188] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.188] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Windows") returned -1 [0081.188] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files") returned -1 [0081.188] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files (x86)") returned -1 [0081.188] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="$Recycle.bin") returned 1 [0081.188] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="System Volume Information") returned -1 [0081.188] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 142 [0081.188] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2=".") returned 1 [0081.188] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="..") returned 1 [0081.189] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*") returned 144 [0081.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0081.189] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.189] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.190] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.190] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.190] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.190] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\.") returned 144 [0081.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.190] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0081.190] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.190] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.190] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.190] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.190] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.190] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\..") returned 145 [0081.190] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.190] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.190] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0081.190] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0081.190] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0081.190] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0081.190] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0081.190] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0081.190] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data") returned 147 [0081.190] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0081.190] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0081.191] wnsprintfW (in: pszDest=0x2df1098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*") returned 149 [0081.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0081.191] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.191] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.191] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.191] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.191] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.191] wnsprintfW (in: pszDest=0x2df1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\.") returned 149 [0081.191] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.191] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0081.191] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.191] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.191] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.191] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.191] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.191] wnsprintfW (in: pszDest=0x2df1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\..") returned 150 [0081.191] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.191] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.191] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0081.191] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0081.191] wnsprintfW (in: pszDest=0x2df1098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 177 [0081.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\Data\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\data\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0081.194] lstrlenA (lpString="EMPTY") returned 5 [0081.194] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0081.194] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.194] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.195] CloseHandle (hObject=0x1f4) returned 1 [0081.195] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0081.195] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0081.195] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0081.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.195] lstrlenA (lpString="EMPTY") returned 5 [0081.195] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0081.196] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.196] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0081.196] CloseHandle (hObject=0x1f0) returned 1 [0081.196] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0081.196] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0081.197] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 117 [0081.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\6ng60cxz.9gj\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0081.198] lstrlenA (lpString="EMPTY") returned 5 [0081.198] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0081.198] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.198] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.199] CloseHandle (hObject=0x1ec) returned 1 [0081.199] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0 [0081.199] FindClose (in: hFindFile=0x5574b0 | out: hFindFile=0x5574b0) returned 1 [0081.199] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 104 [0081.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\cjw3o3kp.bx7\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0081.200] lstrlenA (lpString="EMPTY") returned 5 [0081.200] WriteFile (in: hFile=0x1e8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edfac*=0x5, lpOverlapped=0x0) returned 1 [0081.201] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.201] WriteFile (in: hFile=0x1e8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edfac*=0x2ac, lpOverlapped=0x0) returned 1 [0081.201] CloseHandle (hObject=0x1e8) returned 1 [0081.201] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0 [0081.201] FindClose (in: hFindFile=0x557470 | out: hFindFile=0x557470) returned 1 [0081.202] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 91 [0081.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\data\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0081.202] lstrlenA (lpString="EMPTY") returned 5 [0081.202] WriteFile (in: hFile=0x1e4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee2a4*=0x5, lpOverlapped=0x0) returned 1 [0081.203] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.203] WriteFile (in: hFile=0x1e4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee2a4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.203] CloseHandle (hObject=0x1e4) returned 1 [0081.204] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0081.204] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Windows") returned -1 [0081.204] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Program Files") returned -1 [0081.204] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="Program Files (x86)") returned -1 [0081.204] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="$Recycle.bin") returned 1 [0081.204] lstrcmpiW (lpString1="DQQ19BCJ.JAX", lpString2="System Volume Information") returned -1 [0081.204] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX") returned 69 [0081.204] lstrcmpW (lpString1="DQQ19BCJ.JAX", lpString2=".") returned 1 [0081.204] lstrcmpW (lpString1="DQQ19BCJ.JAX", lpString2="..") returned 1 [0081.204] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*") returned 71 [0081.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*", lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0x557470 [0081.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.205] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\.") returned 71 [0081.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.205] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.205] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.205] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.205] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.205] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.205] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\..") returned 72 [0081.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.205] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0081.205] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Windows") returned 1 [0081.205] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Program Files") returned 1 [0081.205] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="Program Files (x86)") returned 1 [0081.205] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="$Recycle.bin") returned 1 [0081.205] lstrcmpiW (lpString1="YVORLGOR.PNT", lpString2="System Volume Information") returned 1 [0081.205] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT") returned 82 [0081.205] lstrcmpW (lpString1="YVORLGOR.PNT", lpString2=".") returned 1 [0081.205] lstrcmpW (lpString1="YVORLGOR.PNT", lpString2="..") returned 1 [0081.206] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*") returned 84 [0081.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*", lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0x5574b0 [0081.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.247] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\.") returned 84 [0081.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.247] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0081.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.247] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\..") returned 85 [0081.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.248] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0081.248] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Windows") returned -1 [0081.248] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Program Files") returned -1 [0081.248] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="Program Files (x86)") returned -1 [0081.248] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="$Recycle.bin") returned 1 [0081.248] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="System Volume Information") returned -1 [0081.248] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned 142 [0081.248] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2=".") returned 1 [0081.248] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="..") returned 1 [0081.248] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*") returned 144 [0081.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0081.249] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.249] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.249] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.249] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\.") returned 144 [0081.249] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.249] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.249] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\..") returned 145 [0081.249] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.249] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.249] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.249] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Windows") returned -1 [0081.249] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files") returned -1 [0081.249] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files (x86)") returned -1 [0081.249] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="$Recycle.bin") returned 1 [0081.249] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="System Volume Information") returned -1 [0081.249] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0081.249] StrStrIW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".protected") returned 0x0 [0081.249] lstrcmpW (lpString1="GoogleUpdateSetup.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.249] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.249] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0081.250] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".txt") returned 0x0 [0081.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0081.250] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".rar") returned 0x0 [0081.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0081.250] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".zip") returned 0x0 [0081.250] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.276] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.276] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.276] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.276] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.301] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.301] CloseHandle (hObject=0x1f0) returned 1 [0081.304] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.protected") returned 174 [0081.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe.protected")) returned 1 [0081.304] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0081.304] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0081.305] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0081.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0081.320] lstrlenA (lpString="EMPTY") returned 5 [0081.320] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0081.321] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.321] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.321] CloseHandle (hObject=0x1ec) returned 1 [0081.321] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0081.321] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Windows") returned -1 [0081.321] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files") returned -1 [0081.321] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="Program Files (x86)") returned -1 [0081.321] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="$Recycle.bin") returned 1 [0081.321] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="System Volume Information") returned -1 [0081.321] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 137 [0081.321] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2=".") returned 1 [0081.321] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", lpString2="..") returned 1 [0081.321] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*") returned 139 [0081.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0081.331] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.331] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.331] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.331] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.331] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.331] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\.") returned 139 [0081.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.331] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.331] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.331] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.331] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.331] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.331] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.331] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\..") returned 140 [0081.331] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.331] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.331] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Windows") returned -1 [0081.331] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Program Files") returned -1 [0081.331] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="Program Files (x86)") returned -1 [0081.331] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="$Recycle.bin") returned 1 [0081.331] lstrcmpiW (lpString1="clickonce_bootstrap.exe", lpString2="System Volume Information") returned -1 [0081.331] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0081.331] StrStrIW (lpFirst="clickonce_bootstrap.exe", lpSrch=".protected") returned 0x0 [0081.331] lstrcmpW (lpString1="clickonce_bootstrap.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.331] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.331] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.332] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0081.332] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".txt") returned 0x0 [0081.332] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0081.332] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".rar") returned 0x0 [0081.332] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0081.332] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".zip") returned 0x0 [0081.332] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.350] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.350] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.350] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.350] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.383] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.383] CloseHandle (hObject=0x1f0) returned 1 [0081.383] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.protected") returned 171 [0081.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.protected")) returned 1 [0081.384] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.384] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Windows") returned -1 [0081.384] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Program Files") returned -1 [0081.384] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="Program Files (x86)") returned -1 [0081.384] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="$Recycle.bin") returned 1 [0081.384] lstrcmpiW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="System Volume Information") returned -1 [0081.384] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0081.384] StrStrIW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".protected") returned 0x0 [0081.384] lstrcmpW (lpString1="clickonce_bootstrap.exe.cdf-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.384] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.384] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0081.385] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".txt") returned 0x0 [0081.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0081.385] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".rar") returned 0x0 [0081.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0081.385] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".zip") returned 0x0 [0081.385] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.465] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.465] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.465] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.465] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.513] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.513] CloseHandle (hObject=0x1f0) returned 1 [0081.514] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.protected") returned 178 [0081.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.protected")) returned 1 [0081.514] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.514] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Windows") returned -1 [0081.514] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Program Files") returned -1 [0081.514] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="Program Files (x86)") returned -1 [0081.514] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="$Recycle.bin") returned 1 [0081.514] lstrcmpiW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="System Volume Information") returned -1 [0081.514] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0081.514] StrStrIW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".protected") returned 0x0 [0081.514] lstrcmpW (lpString1="clickonce_bootstrap.exe.manifest", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.514] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.514] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0081.515] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".txt") returned 0x0 [0081.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0081.515] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".rar") returned 0x0 [0081.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0081.515] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".zip") returned 0x0 [0081.515] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.888] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.889] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.889] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.889] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.949] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.949] CloseHandle (hObject=0x1f0) returned 1 [0081.950] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.protected") returned 180 [0081.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.protected")) returned 1 [0081.950] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.950] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Windows") returned -1 [0081.950] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Program Files") returned -1 [0081.950] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="Program Files (x86)") returned -1 [0081.950] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="$Recycle.bin") returned 1 [0081.950] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="System Volume Information") returned -1 [0081.950] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0081.950] StrStrIW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".protected") returned 0x0 [0081.950] lstrcmpW (lpString1="clickonce_bootstrap_unsigned.cdf-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.950] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.950] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0081.951] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".txt") returned 0x0 [0081.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0081.951] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".rar") returned 0x0 [0081.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0081.951] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".zip") returned 0x0 [0081.951] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0xee0, lpOverlapped=0x0) returned 1 [0081.983] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffff120, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.983] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0xee0, lpOverlapped=0x0) returned 1 [0081.983] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.983] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.983] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.983] CloseHandle (hObject=0x1f0) returned 1 [0081.984] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.protected") returned 183 [0081.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.protected")) returned 1 [0081.984] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.984] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Windows") returned -1 [0081.984] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Program Files") returned -1 [0081.984] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="Program Files (x86)") returned -1 [0081.984] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="$Recycle.bin") returned 1 [0081.984] lstrcmpiW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="System Volume Information") returned -1 [0081.984] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0081.984] StrStrIW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".protected") returned 0x0 [0081.984] lstrcmpW (lpString1="clickonce_bootstrap_unsigned.manifest", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.984] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.984] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.985] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0081.985] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".txt") returned 0x0 [0081.985] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0081.985] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".rar") returned 0x0 [0081.985] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0081.985] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".zip") returned 0x0 [0081.985] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x560, lpOverlapped=0x0) returned 1 [0081.986] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffffaa0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.986] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x560, lpOverlapped=0x0) returned 1 [0081.986] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.986] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.986] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.986] CloseHandle (hObject=0x1f0) returned 1 [0081.986] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.protected") returned 185 [0081.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.protected")) returned 1 [0081.987] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0081.987] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Windows") returned -1 [0081.987] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files") returned -1 [0081.987] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="Program Files (x86)") returned -1 [0081.987] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="$Recycle.bin") returned 1 [0081.987] lstrcmpiW (lpString1="GoogleUpdateSetup.exe", lpString2="System Volume Information") returned -1 [0081.987] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0081.987] StrStrIW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".protected") returned 0x0 [0081.987] lstrcmpW (lpString1="GoogleUpdateSetup.exe", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0081.987] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0081.987] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0081.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0081.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0081.987] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".txt") returned 0x0 [0081.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0081.987] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".rar") returned 0x0 [0081.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0081.987] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".zip") returned 0x0 [0081.987] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.988] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.988] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0081.988] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.988] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0081.988] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0081.988] CloseHandle (hObject=0x1f0) returned 1 [0081.988] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe.protected") returned 169 [0081.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe.protected")) returned 1 [0081.988] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0081.989] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0081.989] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 167 [0081.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0081.989] lstrlenA (lpString="EMPTY") returned 5 [0081.989] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0081.989] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0081.990] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0081.990] CloseHandle (hObject=0x1ec) returned 1 [0081.990] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0081.990] lstrcmpiW (lpString1="manifests", lpString2="Windows") returned -1 [0081.990] lstrcmpiW (lpString1="manifests", lpString2="Program Files") returned -1 [0081.990] lstrcmpiW (lpString1="manifests", lpString2="Program Files (x86)") returned -1 [0081.990] lstrcmpiW (lpString1="manifests", lpString2="$Recycle.bin") returned 1 [0081.990] lstrcmpiW (lpString1="manifests", lpString2="System Volume Information") returned -1 [0081.990] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests") returned 92 [0081.990] lstrcmpW (lpString1="manifests", lpString2=".") returned 1 [0081.990] lstrcmpW (lpString1="manifests", lpString2="..") returned 1 [0081.990] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*") returned 94 [0081.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0082.020] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.020] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.020] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.020] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.020] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.020] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\.") returned 94 [0082.020] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.020] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.020] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.020] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.020] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.020] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.020] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.020] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\..") returned 95 [0082.020] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.020] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.020] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.020] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Windows") returned -1 [0082.020] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Program Files") returned -1 [0082.020] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="Program Files (x86)") returned -1 [0082.020] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="$Recycle.bin") returned 1 [0082.020] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="System Volume Information") returned -1 [0082.020] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0082.020] StrStrIW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".protected") returned 0x0 [0082.021] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.021] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.021] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0082.021] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".txt") returned 0x0 [0082.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0082.021] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".rar") returned 0x0 [0082.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0082.021] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".zip") returned 0x0 [0082.021] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.021] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.021] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.021] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.021] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.021] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.022] CloseHandle (hObject=0x1f0) returned 1 [0082.022] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.protected") returned 169 [0082.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.protected")) returned 1 [0082.022] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.022] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Windows") returned -1 [0082.022] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Program Files") returned -1 [0082.022] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="Program Files (x86)") returned -1 [0082.022] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="$Recycle.bin") returned 1 [0082.022] lstrcmpiW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="System Volume Information") returned -1 [0082.022] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0082.022] StrStrIW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".protected") returned 0x0 [0082.022] lstrcmpW (lpString1="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.022] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.022] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.023] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0082.023] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".txt") returned 0x0 [0082.023] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0082.023] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".rar") returned 0x0 [0082.023] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0082.023] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".zip") returned 0x0 [0082.023] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.023] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.023] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.023] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.023] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.023] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.023] CloseHandle (hObject=0x1f0) returned 1 [0082.024] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.protected") returned 171 [0082.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.protected")) returned 1 [0082.024] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.024] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Windows") returned -1 [0082.024] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Program Files") returned -1 [0082.024] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="Program Files (x86)") returned -1 [0082.024] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="$Recycle.bin") returned 1 [0082.024] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="System Volume Information") returned -1 [0082.024] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0082.024] StrStrIW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".protected") returned 0x0 [0082.024] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.024] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.024] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0082.026] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".txt") returned 0x0 [0082.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0082.026] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".rar") returned 0x0 [0082.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0082.026] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".zip") returned 0x0 [0082.026] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.083] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.083] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.083] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.083] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.121] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.121] CloseHandle (hObject=0x1f0) returned 1 [0082.121] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.protected") returned 169 [0082.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.protected")) returned 1 [0082.122] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.122] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Windows") returned -1 [0082.122] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Program Files") returned -1 [0082.122] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="Program Files (x86)") returned -1 [0082.122] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="$Recycle.bin") returned 1 [0082.122] lstrcmpiW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="System Volume Information") returned -1 [0082.122] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0082.122] StrStrIW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".protected") returned 0x0 [0082.122] lstrcmpW (lpString1="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.122] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.122] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.122] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0082.122] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".txt") returned 0x0 [0082.122] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0082.122] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".rar") returned 0x0 [0082.122] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0082.122] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".zip") returned 0x0 [0082.122] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.139] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.139] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.139] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.139] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.140] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.140] CloseHandle (hObject=0x1f0) returned 1 [0082.140] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.protected") returned 171 [0082.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.protected")) returned 1 [0082.140] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0082.140] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0082.140] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 122 [0082.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0082.141] lstrlenA (lpString="EMPTY") returned 5 [0082.141] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0082.142] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.142] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0082.142] CloseHandle (hObject=0x1ec) returned 1 [0082.142] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0 [0082.142] FindClose (in: hFindFile=0x5574b0 | out: hFindFile=0x5574b0) returned 1 [0082.142] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 112 [0082.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0082.143] lstrlenA (lpString="EMPTY") returned 5 [0082.143] WriteFile (in: hFile=0x1e8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edfac*=0x5, lpOverlapped=0x0) returned 1 [0082.144] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.144] WriteFile (in: hFile=0x1e8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edfac*=0x2ac, lpOverlapped=0x0) returned 1 [0082.144] CloseHandle (hObject=0x1e8) returned 1 [0082.145] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0 [0082.145] FindClose (in: hFindFile=0x557470 | out: hFindFile=0x557470) returned 1 [0082.145] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 99 [0082.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0082.145] lstrlenA (lpString="EMPTY") returned 5 [0082.145] WriteFile (in: hFile=0x1e4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee2a4*=0x5, lpOverlapped=0x0) returned 1 [0082.152] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.152] WriteFile (in: hFile=0x1e4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee2a4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee2a4*=0x2ac, lpOverlapped=0x0) returned 1 [0082.152] CloseHandle (hObject=0x1e4) returned 1 [0082.152] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0 [0082.152] FindClose (in: hFindFile=0x557430 | out: hFindFile=0x557430) returned 1 [0082.153] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 86 [0082.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0082.155] lstrlenA (lpString="EMPTY") returned 5 [0082.155] WriteFile (in: hFile=0x1e0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee59c*=0x5, lpOverlapped=0x0) returned 1 [0082.156] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.156] WriteFile (in: hFile=0x1e0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee59c, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee59c*=0x2ac, lpOverlapped=0x0) returned 1 [0082.156] CloseHandle (hObject=0x1e0) returned 1 [0082.156] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0082.156] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0082.156] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 82 [0082.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0082.157] lstrlenA (lpString="EMPTY") returned 5 [0082.157] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0082.157] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.157] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0082.158] CloseHandle (hObject=0x1dc) returned 1 [0082.161] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0082.161] lstrcmpiW (lpString1="Deployment", lpString2="Windows") returned -1 [0082.161] lstrcmpiW (lpString1="Deployment", lpString2="Program Files") returned -1 [0082.162] lstrcmpiW (lpString1="Deployment", lpString2="Program Files (x86)") returned -1 [0082.162] lstrcmpiW (lpString1="Deployment", lpString2="$Recycle.bin") returned 1 [0082.162] lstrcmpiW (lpString1="Deployment", lpString2="System Volume Information") returned -1 [0082.162] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment") returned 58 [0082.162] lstrcmpW (lpString1="Deployment", lpString2=".") returned 1 [0082.162] lstrcmpW (lpString1="Deployment", lpString2="..") returned 1 [0082.162] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*") returned 60 [0082.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0082.162] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.162] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.162] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.162] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.162] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.162] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\.") returned 60 [0082.162] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.162] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0082.163] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.163] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.163] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.163] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.163] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.163] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\..") returned 61 [0082.163] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.163] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.163] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0 [0082.165] FindClose (in: hFindFile=0x5573f0 | out: hFindFile=0x5573f0) returned 1 [0082.165] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 88 [0082.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\deployment\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0082.166] lstrlenA (lpString="EMPTY") returned 5 [0082.166] WriteFile (in: hFile=0x1dc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ee894*=0x5, lpOverlapped=0x0) returned 1 [0082.166] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.166] WriteFile (in: hFile=0x1dc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ee894, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ee894*=0x2ac, lpOverlapped=0x0) returned 1 [0082.166] CloseHandle (hObject=0x1dc) returned 1 [0082.167] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0082.167] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Windows") returned -1 [0082.167] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Program Files") returned -1 [0082.167] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="Program Files (x86)") returned -1 [0082.167] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="$Recycle.bin") returned 1 [0082.167] lstrcmpiW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="System Volume Information") returned -1 [0082.167] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0082.167] StrStrIW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".protected") returned 0x0 [0082.167] lstrcmpW (lpString1="GDIPFONTCACHEV1.DAT", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.167] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2eebb0 | out: pbBuffer=0x2eebb0) returned 1 [0082.167] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2eeba4*=0x30) returned 1 [0082.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0082.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0082.168] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".txt") returned 0x0 [0082.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0082.168] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".rar") returned 0x0 [0082.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0082.168] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".zip") returned 0x0 [0082.168] ReadFile (in: hFile=0x1dc, lpBuffer=0x5e8718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesRead=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0082.225] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.225] WriteFile (in: hFile=0x1dc, lpBuffer=0x5e8718*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5e8718*, lpNumberOfBytesWritten=0x2eeb80*=0x2800, lpOverlapped=0x0) returned 1 [0082.225] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.226] WriteFile (in: hFile=0x1dc, lpBuffer=0x2eebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x2eebac*, lpNumberOfBytesWritten=0x2eeb80*=0x4, lpOverlapped=0x0) returned 1 [0082.262] WriteFile (in: hFile=0x1dc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2eeb80, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2eeb80*=0x30, lpOverlapped=0x0) returned 1 [0082.263] CloseHandle (hObject=0x1dc) returned 1 [0082.263] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.protected") returned 77 [0082.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.protected")) returned 1 [0082.265] FindNextFileW (in: hFindFile=0x5573b0, lpFindFileData=0x2eec10 | out: lpFindFileData=0x2eec10) returned 1 [0082.265] lstrcmpiW (lpString1="Google", lpString2="Windows") returned -1 [0082.265] lstrcmpiW (lpString1="Google", lpString2="Program Files") returned -1 [0082.265] lstrcmpiW (lpString1="Google", lpString2="Program Files (x86)") returned -1 [0082.265] lstrcmpiW (lpString1="Google", lpString2="$Recycle.bin") returned 1 [0082.265] lstrcmpiW (lpString1="Google", lpString2="System Volume Information") returned -1 [0082.265] wnsprintfW (in: pszDest=0x5d86d0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google") returned 54 [0082.265] lstrcmpW (lpString1="Google", lpString2=".") returned 1 [0082.265] lstrcmpW (lpString1="Google", lpString2="..") returned 1 [0082.265] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*") returned 56 [0082.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*", lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 0x5573f0 [0082.265] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.265] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.265] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.265] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.265] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.265] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\.") returned 56 [0082.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.265] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0082.266] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.266] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.266] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.266] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.266] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.266] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\..") returned 57 [0082.266] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.266] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.266] FindNextFileW (in: hFindFile=0x5573f0, lpFindFileData=0x2ee918 | out: lpFindFileData=0x2ee918) returned 1 [0082.266] lstrcmpiW (lpString1="Chrome", lpString2="Windows") returned -1 [0082.266] lstrcmpiW (lpString1="Chrome", lpString2="Program Files") returned -1 [0082.266] lstrcmpiW (lpString1="Chrome", lpString2="Program Files (x86)") returned -1 [0082.266] lstrcmpiW (lpString1="Chrome", lpString2="$Recycle.bin") returned 1 [0082.266] lstrcmpiW (lpString1="Chrome", lpString2="System Volume Information") returned -1 [0082.266] wnsprintfW (in: pszDest=0x5e8718, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome") returned 61 [0082.266] lstrcmpW (lpString1="Chrome", lpString2=".") returned 1 [0082.266] lstrcmpW (lpString1="Chrome", lpString2="..") returned 1 [0082.266] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*") returned 63 [0082.266] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*", lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 0x557430 [0082.266] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.266] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.266] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.266] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.266] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.266] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\.") returned 63 [0082.266] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.266] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0082.267] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.267] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.267] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.267] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.267] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.267] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\..") returned 64 [0082.267] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.267] FindNextFileW (in: hFindFile=0x557430, lpFindFileData=0x2ee620 | out: lpFindFileData=0x2ee620) returned 1 [0082.267] lstrcmpiW (lpString1="User Data", lpString2="Windows") returned -1 [0082.267] lstrcmpiW (lpString1="User Data", lpString2="Program Files") returned 1 [0082.267] lstrcmpiW (lpString1="User Data", lpString2="Program Files (x86)") returned 1 [0082.267] lstrcmpiW (lpString1="User Data", lpString2="$Recycle.bin") returned 1 [0082.267] lstrcmpiW (lpString1="User Data", lpString2="System Volume Information") returned 1 [0082.267] wnsprintfW (in: pszDest=0x60b7b0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data") returned 71 [0082.267] lstrcmpW (lpString1="User Data", lpString2=".") returned 1 [0082.267] lstrcmpW (lpString1="User Data", lpString2="..") returned 1 [0082.267] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*") returned 73 [0082.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*", lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 0x557470 [0082.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.318] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\.") returned 73 [0082.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.318] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0082.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.335] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.335] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.335] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\..") returned 74 [0082.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.335] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0082.335] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Windows") returned -1 [0082.335] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files") returned -1 [0082.335] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files (x86)") returned -1 [0082.335] lstrcmpiW (lpString1="CertificateTransparency", lpString2="$Recycle.bin") returned 1 [0082.335] lstrcmpiW (lpString1="CertificateTransparency", lpString2="System Volume Information") returned -1 [0082.335] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 95 [0082.335] lstrcmpW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0082.335] lstrcmpW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0082.335] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*") returned 97 [0082.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*", lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0x5574b0 [0082.336] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.336] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.336] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.336] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.336] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.336] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\.") returned 97 [0082.336] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.336] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.336] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.336] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.336] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.336] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.336] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.336] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\..") returned 98 [0082.336] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.336] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.336] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0 [0082.336] FindClose (in: hFindFile=0x5574b0 | out: hFindFile=0x5574b0) returned 1 [0082.337] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 125 [0082.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\certificatetransparency\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0082.337] lstrlenA (lpString="EMPTY") returned 5 [0082.337] WriteFile (in: hFile=0x1e8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edfac*=0x5, lpOverlapped=0x0) returned 1 [0082.338] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.338] WriteFile (in: hFile=0x1e8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edfac*=0x2ac, lpOverlapped=0x0) returned 1 [0082.338] CloseHandle (hObject=0x1e8) returned 1 [0082.338] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0082.338] lstrcmpiW (lpString1="Crashpad", lpString2="Windows") returned -1 [0082.338] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files") returned -1 [0082.338] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files (x86)") returned -1 [0082.338] lstrcmpiW (lpString1="Crashpad", lpString2="$Recycle.bin") returned 1 [0082.338] lstrcmpiW (lpString1="Crashpad", lpString2="System Volume Information") returned -1 [0082.338] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 80 [0082.338] lstrcmpW (lpString1="Crashpad", lpString2=".") returned 1 [0082.338] lstrcmpW (lpString1="Crashpad", lpString2="..") returned 1 [0082.338] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*") returned 82 [0082.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*", lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0x5574b0 [0082.339] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.339] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.339] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.339] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.339] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.339] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\.") returned 82 [0082.339] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.339] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.339] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.339] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\..") returned 83 [0082.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.339] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.339] lstrcmpiW (lpString1="metadata", lpString2="Windows") returned -1 [0082.339] lstrcmpiW (lpString1="metadata", lpString2="Program Files") returned -1 [0082.339] lstrcmpiW (lpString1="metadata", lpString2="Program Files (x86)") returned -1 [0082.339] lstrcmpiW (lpString1="metadata", lpString2="$Recycle.bin") returned 1 [0082.339] lstrcmpiW (lpString1="metadata", lpString2="System Volume Information") returned -1 [0082.339] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0082.339] StrStrIW (lpFirst="metadata", lpSrch=".protected") returned 0x0 [0082.339] lstrcmpW (lpString1="metadata", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0082.339] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0082.339] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0082.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0082.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0082.340] StrStrW (lpFirst="metadata", lpSrch=".txt") returned 0x0 [0082.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0082.340] StrStrW (lpFirst="metadata", lpSrch=".rar") returned 0x0 [0082.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0082.340] StrStrW (lpFirst="metadata", lpSrch=".zip") returned 0x0 [0082.340] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x0, lpOverlapped=0x0) returned 1 [0082.340] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.340] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x0, lpOverlapped=0x0) returned 1 [0082.340] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.340] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0082.341] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0082.341] CloseHandle (hObject=0x1ec) returned 1 [0082.342] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata.protected") returned 99 [0082.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata.protected")) returned 1 [0082.342] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.342] lstrcmpiW (lpString1="reports", lpString2="Windows") returned -1 [0082.342] lstrcmpiW (lpString1="reports", lpString2="Program Files") returned 1 [0082.342] lstrcmpiW (lpString1="reports", lpString2="Program Files (x86)") returned 1 [0082.342] lstrcmpiW (lpString1="reports", lpString2="$Recycle.bin") returned 1 [0082.342] lstrcmpiW (lpString1="reports", lpString2="System Volume Information") returned -1 [0082.342] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 88 [0082.342] lstrcmpW (lpString1="reports", lpString2=".") returned 1 [0082.342] lstrcmpW (lpString1="reports", lpString2="..") returned 1 [0082.342] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*") returned 90 [0082.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0082.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.343] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.343] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.343] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.343] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.343] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\.") returned 90 [0082.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.343] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.343] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.343] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.343] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.343] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.343] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.343] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\..") returned 91 [0082.343] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.343] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0082.343] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0082.343] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 118 [0082.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\reports\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0082.343] lstrlenA (lpString="EMPTY") returned 5 [0082.343] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0082.344] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.344] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0082.344] CloseHandle (hObject=0x1ec) returned 1 [0082.344] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.344] lstrcmpiW (lpString1="settings.dat", lpString2="Windows") returned -1 [0082.344] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files") returned 1 [0082.344] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files (x86)") returned 1 [0082.344] lstrcmpiW (lpString1="settings.dat", lpString2="$Recycle.bin") returned 1 [0082.344] lstrcmpiW (lpString1="settings.dat", lpString2="System Volume Information") returned -1 [0082.344] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0082.344] StrStrIW (lpFirst="settings.dat", lpSrch=".protected") returned 0x0 [0082.344] lstrcmpW (lpString1="settings.dat", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0082.344] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0082.344] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0082.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0082.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0082.345] StrStrW (lpFirst="settings.dat", lpSrch=".txt") returned 0x0 [0082.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0082.345] StrStrW (lpFirst="settings.dat", lpSrch=".rar") returned 0x0 [0082.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0082.345] StrStrW (lpFirst="settings.dat", lpSrch=".zip") returned 0x0 [0082.345] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x28, lpOverlapped=0x0) returned 1 [0082.346] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.346] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x28, lpOverlapped=0x0) returned 1 [0082.346] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.346] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0082.346] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0082.346] CloseHandle (hObject=0x1ec) returned 1 [0082.347] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat.protected") returned 103 [0082.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat.protected")) returned 1 [0082.347] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0 [0082.347] FindClose (in: hFindFile=0x5574b0 | out: hFindFile=0x5574b0) returned 1 [0082.347] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 110 [0082.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0082.370] lstrlenA (lpString="EMPTY") returned 5 [0082.370] WriteFile (in: hFile=0x1e8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edfac*=0x5, lpOverlapped=0x0) returned 1 [0082.371] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0082.371] WriteFile (in: hFile=0x1e8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edfac, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edfac*=0x2ac, lpOverlapped=0x0) returned 1 [0082.371] CloseHandle (hObject=0x1e8) returned 1 [0082.372] FindNextFileW (in: hFindFile=0x557470, lpFindFileData=0x2ee328 | out: lpFindFileData=0x2ee328) returned 1 [0082.372] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0082.372] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0082.372] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0082.372] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0082.372] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0082.372] wnsprintfW (in: pszDest=0x2de0048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 79 [0082.372] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0082.372] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0082.373] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*") returned 81 [0082.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*", lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 0x5574b0 [0082.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.393] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.393] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.393] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.393] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.393] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\.") returned 81 [0082.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.393] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.494] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.494] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.494] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.494] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.494] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\..") returned 82 [0082.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.494] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0082.494] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0082.495] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0082.495] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0082.495] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0082.495] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0082.495] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 85 [0082.495] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0082.495] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0082.495] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*") returned 87 [0082.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0082.496] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.496] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.496] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.496] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.496] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.496] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\.") returned 87 [0082.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.496] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.496] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.496] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.496] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.496] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.496] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.496] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\..") returned 88 [0082.496] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.496] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.496] lstrcmpiW (lpString1="data_0", lpString2="Windows") returned -1 [0082.496] lstrcmpiW (lpString1="data_0", lpString2="Program Files") returned -1 [0082.496] lstrcmpiW (lpString1="data_0", lpString2="Program Files (x86)") returned -1 [0082.496] lstrcmpiW (lpString1="data_0", lpString2="$Recycle.bin") returned 1 [0082.496] lstrcmpiW (lpString1="data_0", lpString2="System Volume Information") returned -1 [0082.496] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0082.496] StrStrIW (lpFirst="data_0", lpSrch=".protected") returned 0x0 [0082.496] lstrcmpW (lpString1="data_0", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.496] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.496] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0082.497] StrStrW (lpFirst="data_0", lpSrch=".txt") returned 0x0 [0082.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0082.497] StrStrW (lpFirst="data_0", lpSrch=".rar") returned 0x0 [0082.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0082.497] StrStrW (lpFirst="data_0", lpSrch=".zip") returned 0x0 [0082.497] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.517] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.517] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.517] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.517] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.517] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.517] CloseHandle (hObject=0x1f0) returned 1 [0082.518] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.protected") returned 102 [0082.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0.protected")) returned 1 [0082.518] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.518] lstrcmpiW (lpString1="data_1", lpString2="Windows") returned -1 [0082.518] lstrcmpiW (lpString1="data_1", lpString2="Program Files") returned -1 [0082.518] lstrcmpiW (lpString1="data_1", lpString2="Program Files (x86)") returned -1 [0082.518] lstrcmpiW (lpString1="data_1", lpString2="$Recycle.bin") returned 1 [0082.518] lstrcmpiW (lpString1="data_1", lpString2="System Volume Information") returned -1 [0082.518] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0082.518] StrStrIW (lpFirst="data_1", lpSrch=".protected") returned 0x0 [0082.518] lstrcmpW (lpString1="data_1", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.518] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.518] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0082.519] StrStrW (lpFirst="data_1", lpSrch=".txt") returned 0x0 [0082.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0082.519] StrStrW (lpFirst="data_1", lpSrch=".rar") returned 0x0 [0082.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0082.519] StrStrW (lpFirst="data_1", lpSrch=".zip") returned 0x0 [0082.519] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.600] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.600] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.600] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.600] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.674] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.674] CloseHandle (hObject=0x1f0) returned 1 [0082.674] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.protected") returned 102 [0082.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1.protected")) returned 1 [0082.755] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.755] lstrcmpiW (lpString1="data_2", lpString2="Windows") returned -1 [0082.755] lstrcmpiW (lpString1="data_2", lpString2="Program Files") returned -1 [0082.755] lstrcmpiW (lpString1="data_2", lpString2="Program Files (x86)") returned -1 [0082.755] lstrcmpiW (lpString1="data_2", lpString2="$Recycle.bin") returned 1 [0082.755] lstrcmpiW (lpString1="data_2", lpString2="System Volume Information") returned -1 [0082.755] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0082.755] StrStrIW (lpFirst="data_2", lpSrch=".protected") returned 0x0 [0082.755] lstrcmpW (lpString1="data_2", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.755] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.755] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0082.756] StrStrW (lpFirst="data_2", lpSrch=".txt") returned 0x0 [0082.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0082.756] StrStrW (lpFirst="data_2", lpSrch=".rar") returned 0x0 [0082.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0082.756] StrStrW (lpFirst="data_2", lpSrch=".zip") returned 0x0 [0082.756] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2000, lpOverlapped=0x0) returned 1 [0082.784] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.784] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2000, lpOverlapped=0x0) returned 1 [0082.784] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.784] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0082.784] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0082.785] CloseHandle (hObject=0x1f0) returned 1 [0082.785] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.protected") returned 102 [0082.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2.protected")) returned 1 [0082.785] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0082.785] lstrcmpiW (lpString1="data_3", lpString2="Windows") returned -1 [0082.785] lstrcmpiW (lpString1="data_3", lpString2="Program Files") returned -1 [0082.785] lstrcmpiW (lpString1="data_3", lpString2="Program Files (x86)") returned -1 [0082.785] lstrcmpiW (lpString1="data_3", lpString2="$Recycle.bin") returned 1 [0082.785] lstrcmpiW (lpString1="data_3", lpString2="System Volume Information") returned -1 [0082.785] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0082.785] StrStrIW (lpFirst="data_3", lpSrch=".protected") returned 0x0 [0082.785] lstrcmpW (lpString1="data_3", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0082.785] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0082.785] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0082.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0082.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0082.786] StrStrW (lpFirst="data_3", lpSrch=".txt") returned 0x0 [0082.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0082.786] StrStrW (lpFirst="data_3", lpSrch=".rar") returned 0x0 [0082.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0082.786] StrStrW (lpFirst="data_3", lpSrch=".zip") returned 0x0 [0082.786] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.942] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.942] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0082.942] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.942] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.295] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.295] CloseHandle (hObject=0x1f0) returned 1 [0083.295] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.protected") returned 102 [0083.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3.protected")) returned 1 [0083.296] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.296] lstrcmpiW (lpString1="index", lpString2="Windows") returned -1 [0083.296] lstrcmpiW (lpString1="index", lpString2="Program Files") returned -1 [0083.296] lstrcmpiW (lpString1="index", lpString2="Program Files (x86)") returned -1 [0083.296] lstrcmpiW (lpString1="index", lpString2="$Recycle.bin") returned 1 [0083.296] lstrcmpiW (lpString1="index", lpString2="System Volume Information") returned -1 [0083.296] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0083.296] StrStrIW (lpFirst="index", lpSrch=".protected") returned 0x0 [0083.296] lstrcmpW (lpString1="index", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.296] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.296] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0083.297] StrStrW (lpFirst="index", lpSrch=".txt") returned 0x0 [0083.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0083.297] StrStrW (lpFirst="index", lpSrch=".rar") returned 0x0 [0083.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0083.297] StrStrW (lpFirst="index", lpSrch=".zip") returned 0x0 [0083.297] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0083.318] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.318] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x2800, lpOverlapped=0x0) returned 1 [0083.318] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.319] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.321] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.321] CloseHandle (hObject=0x1f0) returned 1 [0083.321] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.protected") returned 101 [0083.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index.protected")) returned 1 [0083.322] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0083.322] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0083.322] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 115 [0083.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.322] lstrlenA (lpString="EMPTY") returned 5 [0083.322] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0083.323] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.323] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.323] CloseHandle (hObject=0x1ec) returned 1 [0083.323] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.323] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0083.323] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0083.323] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0083.323] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0083.323] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0083.323] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0083.323] StrStrIW (lpFirst="Cookies", lpSrch=".protected") returned 0x0 [0083.324] lstrcmpW (lpString1="Cookies", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.324] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0083.324] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0083.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0083.325] StrStrW (lpFirst="Cookies", lpSrch=".txt") returned 0x0 [0083.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0083.325] StrStrW (lpFirst="Cookies", lpSrch=".rar") returned 0x0 [0083.325] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0083.325] StrStrW (lpFirst="Cookies", lpSrch=".zip") returned 0x0 [0083.325] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x1c00, lpOverlapped=0x0) returned 1 [0083.326] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffe400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.326] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x1c00, lpOverlapped=0x0) returned 1 [0083.327] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.327] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0083.327] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0083.327] CloseHandle (hObject=0x1ec) returned 1 [0083.328] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.protected") returned 97 [0083.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies.protected")) returned 1 [0083.329] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.329] lstrcmpiW (lpString1="Cookies-journal", lpString2="Windows") returned -1 [0083.329] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files") returned -1 [0083.329] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files (x86)") returned -1 [0083.329] lstrcmpiW (lpString1="Cookies-journal", lpString2="$Recycle.bin") returned 1 [0083.329] lstrcmpiW (lpString1="Cookies-journal", lpString2="System Volume Information") returned -1 [0083.329] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0083.329] StrStrIW (lpFirst="Cookies-journal", lpSrch=".protected") returned 0x0 [0083.329] lstrcmpW (lpString1="Cookies-journal", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.329] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0083.329] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0083.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0083.330] StrStrW (lpFirst="Cookies-journal", lpSrch=".txt") returned 0x0 [0083.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0083.330] StrStrW (lpFirst="Cookies-journal", lpSrch=".rar") returned 0x0 [0083.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0083.330] StrStrW (lpFirst="Cookies-journal", lpSrch=".zip") returned 0x0 [0083.330] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x0, lpOverlapped=0x0) returned 1 [0083.330] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.330] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x0, lpOverlapped=0x0) returned 1 [0083.331] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.331] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0083.331] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0083.332] CloseHandle (hObject=0x1ec) returned 1 [0083.332] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal.protected") returned 105 [0083.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal.protected")) returned 1 [0083.333] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.333] lstrcmpiW (lpString1="Current Session", lpString2="Windows") returned -1 [0083.333] lstrcmpiW (lpString1="Current Session", lpString2="Program Files") returned -1 [0083.333] lstrcmpiW (lpString1="Current Session", lpString2="Program Files (x86)") returned -1 [0083.333] lstrcmpiW (lpString1="Current Session", lpString2="$Recycle.bin") returned 1 [0083.333] lstrcmpiW (lpString1="Current Session", lpString2="System Volume Information") returned -1 [0083.333] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0083.333] StrStrIW (lpFirst="Current Session", lpSrch=".protected") returned 0x0 [0083.333] lstrcmpW (lpString1="Current Session", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.333] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0083.333] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0083.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0083.334] StrStrW (lpFirst="Current Session", lpSrch=".txt") returned 0x0 [0083.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0083.334] StrStrW (lpFirst="Current Session", lpSrch=".rar") returned 0x0 [0083.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0083.334] StrStrW (lpFirst="Current Session", lpSrch=".zip") returned 0x0 [0083.334] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x1d6, lpOverlapped=0x0) returned 1 [0083.335] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffffe2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.335] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x1d6, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x1d6, lpOverlapped=0x0) returned 1 [0083.336] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.336] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0083.336] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0083.336] CloseHandle (hObject=0x1ec) returned 1 [0083.337] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session.protected") returned 105 [0083.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session.protected")) returned 1 [0083.337] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.337] lstrcmpiW (lpString1="Current Tabs", lpString2="Windows") returned -1 [0083.337] lstrcmpiW (lpString1="Current Tabs", lpString2="Program Files") returned -1 [0083.337] lstrcmpiW (lpString1="Current Tabs", lpString2="Program Files (x86)") returned -1 [0083.337] lstrcmpiW (lpString1="Current Tabs", lpString2="$Recycle.bin") returned 1 [0083.337] lstrcmpiW (lpString1="Current Tabs", lpString2="System Volume Information") returned -1 [0083.337] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0083.337] StrStrIW (lpFirst="Current Tabs", lpSrch=".protected") returned 0x0 [0083.337] lstrcmpW (lpString1="Current Tabs", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.337] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0083.338] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0083.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0083.338] StrStrW (lpFirst="Current Tabs", lpSrch=".txt") returned 0x0 [0083.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0083.338] StrStrW (lpFirst="Current Tabs", lpSrch=".rar") returned 0x0 [0083.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0083.338] StrStrW (lpFirst="Current Tabs", lpSrch=".zip") returned 0x0 [0083.338] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x126, lpOverlapped=0x0) returned 1 [0083.339] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffffeda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.339] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x126, lpOverlapped=0x0) returned 1 [0083.340] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.340] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0083.340] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0083.341] CloseHandle (hObject=0x1ec) returned 1 [0083.341] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs.protected") returned 102 [0083.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs.protected")) returned 1 [0083.342] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.342] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Windows") returned -1 [0083.342] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Program Files") returned -1 [0083.342] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="Program Files (x86)") returned -1 [0083.342] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="$Recycle.bin") returned 1 [0083.342] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="System Volume Information") returned -1 [0083.342] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 108 [0083.342] lstrcmpW (lpString1="data_reduction_proxy_leveldb", lpString2=".") returned 1 [0083.342] lstrcmpW (lpString1="data_reduction_proxy_leveldb", lpString2="..") returned 1 [0083.342] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*") returned 110 [0083.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0083.451] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.451] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.451] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.451] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.451] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.451] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\.") returned 110 [0083.451] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.452] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.452] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\..") returned 111 [0083.452] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.452] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.452] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.452] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0083.452] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0083.452] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0083.452] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0083.452] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0083.452] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0083.452] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0083.452] lstrcmpW (lpString1="000003.log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.452] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.452] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0083.453] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0083.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0083.453] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0083.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0083.453] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0083.453] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.453] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.453] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.453] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.453] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.454] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.454] CloseHandle (hObject=0x1f0) returned 1 [0083.454] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log.protected") returned 129 [0083.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log.protected")) returned 1 [0083.455] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.455] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0083.455] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0083.455] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0083.455] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0083.455] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0083.455] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0083.455] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0083.455] lstrcmpW (lpString1="CURRENT", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.455] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.455] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0083.456] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0083.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0083.456] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0083.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0083.456] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0083.456] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x10, lpOverlapped=0x0) returned 1 [0083.457] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.457] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x10, lpOverlapped=0x0) returned 1 [0083.457] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.457] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.458] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.458] CloseHandle (hObject=0x1f0) returned 1 [0083.458] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT.protected") returned 126 [0083.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current.protected")) returned 1 [0083.458] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.458] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0083.458] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0083.458] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0083.458] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0083.459] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0083.459] lstrcmpW (lpString1="LOCK", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.459] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.459] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0083.459] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0083.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0083.459] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0083.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0083.459] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0083.459] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.459] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.459] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.459] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.459] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.460] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.460] CloseHandle (hObject=0x1f0) returned 1 [0083.461] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK.protected") returned 123 [0083.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock.protected")) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.461] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0083.461] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0083.461] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0083.461] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0083.461] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0083.461] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0083.461] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0083.461] lstrcmpW (lpString1="LOG", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.461] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.461] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0083.462] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0083.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0083.462] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0083.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0083.462] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0083.462] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0xa7, lpOverlapped=0x0) returned 1 [0083.463] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.463] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0xa7, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0xa7, lpOverlapped=0x0) returned 1 [0083.463] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.463] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.463] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.463] CloseHandle (hObject=0x1f0) returned 1 [0083.463] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG.protected") returned 122 [0083.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log.protected")) returned 1 [0083.464] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.464] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0083.464] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0083.464] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0083.464] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0083.464] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0083.464] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0083.464] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0083.464] lstrcmpW (lpString1="MANIFEST-000001", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.464] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.464] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0083.464] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0083.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0083.465] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0083.465] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0083.465] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0083.465] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x29, lpOverlapped=0x0) returned 1 [0083.465] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.465] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x29, lpOverlapped=0x0) returned 1 [0083.466] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.466] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.466] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.466] CloseHandle (hObject=0x1f0) returned 1 [0083.466] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001.protected") returned 134 [0083.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001.protected")) returned 1 [0083.467] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0083.467] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0083.467] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 138 [0083.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.467] lstrlenA (lpString="EMPTY") returned 5 [0083.467] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0083.468] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.468] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.468] CloseHandle (hObject=0x1ec) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.468] lstrcmpiW (lpString1="Extension Rules", lpString2="Windows") returned -1 [0083.468] lstrcmpiW (lpString1="Extension Rules", lpString2="Program Files") returned -1 [0083.468] lstrcmpiW (lpString1="Extension Rules", lpString2="Program Files (x86)") returned -1 [0083.468] lstrcmpiW (lpString1="Extension Rules", lpString2="$Recycle.bin") returned 1 [0083.468] lstrcmpiW (lpString1="Extension Rules", lpString2="System Volume Information") returned -1 [0083.468] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 95 [0083.468] lstrcmpW (lpString1="Extension Rules", lpString2=".") returned 1 [0083.468] lstrcmpW (lpString1="Extension Rules", lpString2="..") returned 1 [0083.469] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*") returned 97 [0083.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0083.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.500] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\.") returned 97 [0083.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.500] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.500] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\..") returned 98 [0083.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.500] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.500] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0083.500] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0083.500] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0083.500] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0083.500] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0083.500] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0083.500] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0083.500] lstrcmpW (lpString1="000003.log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.500] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.500] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0083.501] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0083.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0083.501] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0083.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0083.502] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0083.502] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x156, lpOverlapped=0x0) returned 1 [0083.502] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffffeaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.502] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x156, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x156, lpOverlapped=0x0) returned 1 [0083.503] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.503] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.503] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.503] CloseHandle (hObject=0x1f0) returned 1 [0083.503] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log.protected") returned 116 [0083.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log.protected")) returned 1 [0083.504] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.504] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0083.504] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0083.504] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0083.504] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0083.504] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0083.504] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0083.504] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0083.504] lstrcmpW (lpString1="CURRENT", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.504] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.504] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0083.504] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0083.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0083.504] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0083.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0083.504] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0083.504] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x10, lpOverlapped=0x0) returned 1 [0083.505] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.505] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x10, lpOverlapped=0x0) returned 1 [0083.505] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.505] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.505] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.506] CloseHandle (hObject=0x1f0) returned 1 [0083.506] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT.protected") returned 113 [0083.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current.protected")) returned 1 [0083.506] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.506] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0083.506] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0083.506] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0083.506] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0083.506] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0083.506] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0083.506] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0083.506] lstrcmpW (lpString1="LOCK", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.506] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.506] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0083.507] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0083.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0083.507] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0083.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0083.507] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0083.507] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.508] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.508] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.508] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.508] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.508] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.509] CloseHandle (hObject=0x1f0) returned 1 [0083.509] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK.protected") returned 110 [0083.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock.protected")) returned 1 [0083.509] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.509] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0083.509] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0083.509] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0083.509] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0083.509] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0083.509] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0083.509] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0083.509] lstrcmpW (lpString1="LOG", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.509] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.509] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0083.519] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0083.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0083.519] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0083.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0083.519] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0083.519] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x9a, lpOverlapped=0x0) returned 1 [0083.520] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.520] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x9a, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x9a, lpOverlapped=0x0) returned 1 [0083.521] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.521] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.521] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.521] CloseHandle (hObject=0x1f0) returned 1 [0083.521] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG.protected") returned 109 [0083.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log.protected")) returned 1 [0083.522] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.522] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0083.522] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0083.522] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0083.522] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0083.522] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0083.522] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0083.522] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0083.522] lstrcmpW (lpString1="MANIFEST-000001", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.522] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.522] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0083.522] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0083.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0083.522] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0083.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0083.522] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0083.522] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x29, lpOverlapped=0x0) returned 1 [0083.523] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.523] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x29, lpOverlapped=0x0) returned 1 [0083.523] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.523] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.524] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.524] CloseHandle (hObject=0x1f0) returned 1 [0083.524] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001.protected") returned 121 [0083.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001.protected")) returned 1 [0083.524] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0083.524] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0083.524] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 125 [0083.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.525] lstrlenA (lpString="EMPTY") returned 5 [0083.525] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0083.525] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.525] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.526] CloseHandle (hObject=0x1ec) returned 1 [0083.526] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.526] lstrcmpiW (lpString1="Extension State", lpString2="Windows") returned -1 [0083.526] lstrcmpiW (lpString1="Extension State", lpString2="Program Files") returned -1 [0083.526] lstrcmpiW (lpString1="Extension State", lpString2="Program Files (x86)") returned -1 [0083.526] lstrcmpiW (lpString1="Extension State", lpString2="$Recycle.bin") returned 1 [0083.526] lstrcmpiW (lpString1="Extension State", lpString2="System Volume Information") returned -1 [0083.526] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 95 [0083.526] lstrcmpW (lpString1="Extension State", lpString2=".") returned 1 [0083.526] lstrcmpW (lpString1="Extension State", lpString2="..") returned 1 [0083.526] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*") returned 97 [0083.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0083.535] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.535] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.535] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.535] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\.") returned 97 [0083.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.535] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.535] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\..") returned 98 [0083.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.535] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.535] lstrcmpiW (lpString1="000003.log", lpString2="Windows") returned -1 [0083.535] lstrcmpiW (lpString1="000003.log", lpString2="Program Files") returned -1 [0083.535] lstrcmpiW (lpString1="000003.log", lpString2="Program Files (x86)") returned -1 [0083.535] lstrcmpiW (lpString1="000003.log", lpString2="$Recycle.bin") returned 1 [0083.535] lstrcmpiW (lpString1="000003.log", lpString2="System Volume Information") returned -1 [0083.535] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0083.535] StrStrIW (lpFirst="000003.log", lpSrch=".protected") returned 0x0 [0083.535] lstrcmpW (lpString1="000003.log", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.535] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.535] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0083.536] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0083.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0083.536] StrStrW (lpFirst="000003.log", lpSrch=".rar") returned 0x0 [0083.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0083.536] StrStrW (lpFirst="000003.log", lpSrch=".zip") returned 0x0 [0083.536] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x4ad, lpOverlapped=0x0) returned 1 [0083.621] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffffb53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.622] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x4ad, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x4ad, lpOverlapped=0x0) returned 1 [0083.654] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.654] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.654] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.654] CloseHandle (hObject=0x1f0) returned 1 [0083.655] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.protected") returned 116 [0083.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log.protected")) returned 1 [0083.655] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.655] lstrcmpiW (lpString1="CURRENT", lpString2="Windows") returned -1 [0083.655] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files") returned -1 [0083.655] lstrcmpiW (lpString1="CURRENT", lpString2="Program Files (x86)") returned -1 [0083.655] lstrcmpiW (lpString1="CURRENT", lpString2="$Recycle.bin") returned 1 [0083.655] lstrcmpiW (lpString1="CURRENT", lpString2="System Volume Information") returned -1 [0083.655] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0083.655] StrStrIW (lpFirst="CURRENT", lpSrch=".protected") returned 0x0 [0083.655] lstrcmpW (lpString1="CURRENT", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0083.655] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.655] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.656] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0083.656] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0083.656] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0083.656] StrStrW (lpFirst="CURRENT", lpSrch=".rar") returned 0x0 [0083.656] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0083.656] StrStrW (lpFirst="CURRENT", lpSrch=".zip") returned 0x0 [0083.656] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x10, lpOverlapped=0x0) returned 1 [0083.656] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.657] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x10, lpOverlapped=0x0) returned 1 [0083.657] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.657] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.657] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.657] CloseHandle (hObject=0x1f0) returned 1 [0083.657] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT.protected") returned 113 [0083.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current.protected")) returned 1 [0083.657] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.657] lstrcmpiW (lpString1="LOCK", lpString2="Windows") returned -1 [0083.657] lstrcmpiW (lpString1="LOCK", lpString2="Program Files") returned -1 [0083.657] lstrcmpiW (lpString1="LOCK", lpString2="Program Files (x86)") returned -1 [0083.657] lstrcmpiW (lpString1="LOCK", lpString2="$Recycle.bin") returned 1 [0083.657] lstrcmpiW (lpString1="LOCK", lpString2="System Volume Information") returned -1 [0083.657] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0083.658] StrStrIW (lpFirst="LOCK", lpSrch=".protected") returned 0x0 [0083.658] lstrcmpW (lpString1="LOCK", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.658] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.658] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0083.658] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0083.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0083.658] StrStrW (lpFirst="LOCK", lpSrch=".rar") returned 0x0 [0083.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0083.658] StrStrW (lpFirst="LOCK", lpSrch=".zip") returned 0x0 [0083.658] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.658] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.658] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x0, lpOverlapped=0x0) returned 1 [0083.658] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.658] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.659] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.659] CloseHandle (hObject=0x1f0) returned 1 [0083.659] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK.protected") returned 110 [0083.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock.protected")) returned 1 [0083.659] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.659] lstrcmpiW (lpString1="LOG", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1="LOG", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1="LOG", lpString2="Program Files (x86)") returned -1 [0083.659] lstrcmpiW (lpString1="LOG", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1="LOG", lpString2="System Volume Information") returned -1 [0083.659] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0083.659] StrStrIW (lpFirst="LOG", lpSrch=".protected") returned 0x0 [0083.659] lstrcmpW (lpString1="LOG", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.659] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.659] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0083.660] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0083.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0083.660] StrStrW (lpFirst="LOG", lpSrch=".rar") returned 0x0 [0083.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0083.660] StrStrW (lpFirst="LOG", lpSrch=".zip") returned 0x0 [0083.660] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x9a, lpOverlapped=0x0) returned 1 [0083.660] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.660] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x9a, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x9a, lpOverlapped=0x0) returned 1 [0083.661] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.661] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.661] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.661] CloseHandle (hObject=0x1f0) returned 1 [0083.661] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG.protected") returned 109 [0083.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log.protected")) returned 1 [0083.661] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.661] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Windows") returned -1 [0083.661] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files") returned -1 [0083.661] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="Program Files (x86)") returned -1 [0083.661] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="$Recycle.bin") returned 1 [0083.661] lstrcmpiW (lpString1="MANIFEST-000001", lpString2="System Volume Information") returned -1 [0083.661] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0083.661] StrStrIW (lpFirst="MANIFEST-000001", lpSrch=".protected") returned 0x0 [0083.661] lstrcmpW (lpString1="MANIFEST-000001", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.661] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edcd8 | out: pbBuffer=0x2edcd8) returned 1 [0083.661] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edccc*=0x30) returned 1 [0083.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0083.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0083.662] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0083.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0083.662] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".rar") returned 0x0 [0083.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0083.662] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".zip") returned 0x0 [0083.662] ReadFile (in: hFile=0x1f0, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edca8*=0x29, lpOverlapped=0x0) returned 1 [0083.662] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.662] WriteFile (in: hFile=0x1f0, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edca8*=0x29, lpOverlapped=0x0) returned 1 [0083.662] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.662] WriteFile (in: hFile=0x1f0, lpBuffer=0x2edcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x2edcd4*, lpNumberOfBytesWritten=0x2edca8*=0x4, lpOverlapped=0x0) returned 1 [0083.663] WriteFile (in: hFile=0x1f0, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edca8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edca8*=0x30, lpOverlapped=0x0) returned 1 [0083.663] CloseHandle (hObject=0x1f0) returned 1 [0083.663] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001.protected") returned 121 [0083.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001.protected")) returned 1 [0083.663] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0083.663] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0083.663] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 125 [0083.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0083.664] lstrlenA (lpString="EMPTY") returned 5 [0083.664] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0083.664] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.664] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.665] CloseHandle (hObject=0x1ec) returned 1 [0083.665] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0083.665] lstrcmpiW (lpString1="Extensions", lpString2="Windows") returned -1 [0083.665] lstrcmpiW (lpString1="Extensions", lpString2="Program Files") returned -1 [0083.665] lstrcmpiW (lpString1="Extensions", lpString2="Program Files (x86)") returned -1 [0083.665] lstrcmpiW (lpString1="Extensions", lpString2="$Recycle.bin") returned 1 [0083.665] lstrcmpiW (lpString1="Extensions", lpString2="System Volume Information") returned -1 [0083.665] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 90 [0083.665] lstrcmpW (lpString1="Extensions", lpString2=".") returned 1 [0083.665] lstrcmpW (lpString1="Extensions", lpString2="..") returned 1 [0083.665] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*") returned 92 [0083.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*", lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0x5574f0 [0083.739] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.739] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.739] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.739] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.739] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.739] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\.") returned 92 [0083.739] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.739] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.739] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.739] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.739] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.739] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.740] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\..") returned 93 [0083.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.740] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0083.740] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Windows") returned -1 [0083.740] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Program Files") returned -1 [0083.740] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="Program Files (x86)") returned -1 [0083.740] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="$Recycle.bin") returned 1 [0083.740] lstrcmpiW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="System Volume Information") returned -1 [0083.740] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek") returned 123 [0083.740] lstrcmpW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2=".") returned 1 [0083.740] lstrcmpW (lpString1="aapocclcgogkmnckokdopfmhonfmgoek", lpString2="..") returned 1 [0083.740] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*") returned 125 [0083.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0083.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.771] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\.") returned 125 [0083.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.771] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0083.771] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.771] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.771] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.771] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.771] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.771] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\..") returned 126 [0083.771] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.771] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0083.771] lstrcmpiW (lpString1="0.9_0", lpString2="Windows") returned -1 [0083.771] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files") returned -1 [0083.771] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files (x86)") returned -1 [0083.771] lstrcmpiW (lpString1="0.9_0", lpString2="$Recycle.bin") returned 1 [0083.771] lstrcmpiW (lpString1="0.9_0", lpString2="System Volume Information") returned -1 [0083.771] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0") returned 129 [0083.771] lstrcmpW (lpString1="0.9_0", lpString2=".") returned 1 [0083.771] lstrcmpW (lpString1="0.9_0", lpString2="..") returned 1 [0083.772] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*") returned 131 [0083.772] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0083.838] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.838] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.839] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.839] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.839] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.839] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\.") returned 131 [0083.839] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.839] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.839] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.839] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.839] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.839] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.839] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.839] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\..") returned 132 [0083.839] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.839] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.839] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.839] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0083.839] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0083.839] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0083.839] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0083.839] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0083.839] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0083.839] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0083.839] lstrcmpW (lpString1="icon_128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.839] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0083.839] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0083.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0083.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0083.849] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0083.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0083.849] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0083.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0083.849] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0083.849] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xd2c, lpOverlapped=0x0) returned 1 [0083.860] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff2d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.860] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xd2c, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xd2c, lpOverlapped=0x0) returned 1 [0083.861] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.861] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0083.861] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0083.861] CloseHandle (hObject=0x1f8) returned 1 [0083.861] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.protected") returned 152 [0083.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.protected")) returned 1 [0083.862] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.862] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0083.862] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0083.862] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0083.862] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0083.862] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0083.862] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0083.862] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0083.862] lstrcmpW (lpString1="icon_16.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.862] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0083.862] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0083.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0083.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0083.863] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0083.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0083.863] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0083.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0083.863] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0083.863] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xa0, lpOverlapped=0x0) returned 1 [0083.864] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.864] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xa0, lpOverlapped=0x0) returned 1 [0083.864] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.864] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0083.864] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0083.864] CloseHandle (hObject=0x1f8) returned 1 [0083.864] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.protected") returned 151 [0083.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.protected")) returned 1 [0083.865] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.865] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0083.865] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0083.865] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0083.865] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0083.865] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0083.865] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0083.865] StrStrIW (lpFirst="main.html", lpSrch=".protected") returned 0x0 [0083.865] lstrcmpW (lpString1="main.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.865] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0083.865] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0083.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0083.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0083.872] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0083.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0083.872] StrStrW (lpFirst="main.html", lpSrch=".rar") returned 0x0 [0083.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0083.872] StrStrW (lpFirst="main.html", lpSrch=".zip") returned 0x0 [0083.872] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5c, lpOverlapped=0x0) returned 1 [0083.873] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.873] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5c, lpOverlapped=0x0) returned 1 [0083.873] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.873] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0083.873] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0083.874] CloseHandle (hObject=0x1f8) returned 1 [0083.874] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.protected") returned 149 [0083.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.protected")) returned 1 [0083.874] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.874] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0083.874] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0083.874] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0083.874] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0083.874] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0083.874] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0083.874] StrStrIW (lpFirst="main.js", lpSrch=".protected") returned 0x0 [0083.874] lstrcmpW (lpString1="main.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.875] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0083.875] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0083.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0083.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0083.884] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0083.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0083.884] StrStrW (lpFirst="main.js", lpSrch=".rar") returned 0x0 [0083.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0083.884] StrStrW (lpFirst="main.js", lpSrch=".zip") returned 0x0 [0083.884] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5f, lpOverlapped=0x0) returned 1 [0083.885] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.885] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5f, lpOverlapped=0x0) returned 1 [0083.885] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.885] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0083.885] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0083.885] CloseHandle (hObject=0x1f8) returned 1 [0083.885] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.protected") returned 147 [0083.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.protected")) returned 1 [0083.886] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.886] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0083.886] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0083.886] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0083.886] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0083.886] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0083.886] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0083.886] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0083.886] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.886] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0083.886] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0083.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0083.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0083.887] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0083.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0083.887] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0083.887] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0083.887] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0083.887] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2d5, lpOverlapped=0x0) returned 1 [0083.902] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.902] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2d5, lpOverlapped=0x0) returned 1 [0083.902] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.902] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0083.902] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0083.903] CloseHandle (hObject=0x1f8) returned 1 [0083.903] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.protected") returned 153 [0083.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.protected")) returned 1 [0083.903] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0083.903] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0083.903] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0083.903] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0083.904] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0083.904] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0083.904] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales") returned 138 [0083.904] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0083.904] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0083.904] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*") returned 140 [0083.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0083.922] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.922] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.922] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.922] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.922] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.922] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\.") returned 140 [0083.922] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.922] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.922] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.922] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.922] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.922] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.922] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.922] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\..") returned 141 [0083.922] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.922] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.922] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.922] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0083.923] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0083.923] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0083.923] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0083.923] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0083.923] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar") returned 141 [0083.923] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0083.923] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0083.923] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*") returned 143 [0083.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.923] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.923] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.923] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.924] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.924] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.924] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\.") returned 143 [0083.924] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.924] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.924] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.924] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.924] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.924] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.924] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.924] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\..") returned 144 [0083.924] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.924] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.924] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.924] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.924] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.924] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.924] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.924] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.924] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0083.924] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.924] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.924] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.924] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.925] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0083.925] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.925] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0083.925] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.925] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0083.925] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.925] ReadFile (in: hFile=0x200, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed0c8*=0x101, lpOverlapped=0x0) returned 1 [0083.926] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.926] WriteFile (in: hFile=0x200, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed0c8*=0x101, lpOverlapped=0x0) returned 1 [0083.927] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.927] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.928] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.928] CloseHandle (hObject=0x200) returned 1 [0083.928] wnsprintfW (in: pszDest=0x2e24188, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.protected") returned 165 [0083.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.protected")) returned 1 [0083.929] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.929] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.929] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.929] lstrlenA (lpString="EMPTY") returned 5 [0083.929] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.930] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.930] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.930] CloseHandle (hObject=0x1fc) returned 1 [0083.930] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.930] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0083.930] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0083.930] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0083.930] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0083.930] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0083.930] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg") returned 141 [0083.930] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0083.931] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0083.931] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*") returned 143 [0083.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.931] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.931] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.931] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.931] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.931] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.931] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\.") returned 143 [0083.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.931] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.931] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.931] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.931] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.931] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.931] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.931] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\..") returned 144 [0083.931] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.931] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.931] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.931] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.931] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.931] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.931] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.931] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0083.931] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.932] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.932] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.932] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0083.934] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0083.934] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0083.934] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.934] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x110, lpOverlapped=0x0) returned 1 [0083.935] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.935] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x110, lpOverlapped=0x0) returned 1 [0083.935] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.936] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.936] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.936] CloseHandle (hObject=0x200) returned 1 [0083.936] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.protected") returned 165 [0083.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.protected")) returned 1 [0083.942] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.942] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.942] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.942] lstrlenA (lpString="EMPTY") returned 5 [0083.942] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.943] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.943] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.943] CloseHandle (hObject=0x1fc) returned 1 [0083.943] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.944] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0083.944] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0083.944] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0083.944] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0083.944] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0083.944] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca") returned 141 [0083.944] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0083.944] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0083.944] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*") returned 143 [0083.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.944] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.944] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.944] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.944] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.944] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.944] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\.") returned 143 [0083.944] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.944] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.944] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.944] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.944] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.944] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.944] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.944] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\..") returned 144 [0083.944] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.944] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.944] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.945] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.945] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.945] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.945] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.945] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.945] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0083.945] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.945] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.945] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.945] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.945] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0083.945] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.945] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0083.945] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.945] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0083.945] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.945] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0083.946] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.946] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0083.946] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.946] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.947] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.947] CloseHandle (hObject=0x200) returned 1 [0083.947] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.protected") returned 165 [0083.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.protected")) returned 1 [0083.947] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.947] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.947] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.948] lstrlenA (lpString="EMPTY") returned 5 [0083.948] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.948] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.948] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.949] CloseHandle (hObject=0x1fc) returned 1 [0083.949] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.949] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0083.949] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0083.949] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0083.949] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0083.949] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0083.949] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs") returned 141 [0083.949] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0083.949] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0083.949] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*") returned 143 [0083.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.949] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.949] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.949] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.949] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.949] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.949] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\.") returned 143 [0083.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.950] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.950] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.950] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.950] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.950] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.950] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\..") returned 144 [0083.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.950] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.950] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.950] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.950] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.950] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.950] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.950] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0083.950] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.950] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.950] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.950] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0083.951] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0083.951] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0083.951] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.952] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0083.952] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.952] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0083.953] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.953] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.953] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.953] CloseHandle (hObject=0x200) returned 1 [0083.953] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.protected") returned 165 [0083.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.protected")) returned 1 [0083.954] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.954] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.954] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.956] lstrlenA (lpString="EMPTY") returned 5 [0083.956] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.957] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.957] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.957] CloseHandle (hObject=0x1fc) returned 1 [0083.957] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.957] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0083.957] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0083.957] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0083.957] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0083.957] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0083.957] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da") returned 141 [0083.957] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0083.957] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0083.957] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*") returned 143 [0083.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.958] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\.") returned 143 [0083.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.958] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.958] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\..") returned 144 [0083.958] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.958] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.958] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.958] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.958] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.958] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.958] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.958] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0083.958] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.958] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.958] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.958] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0083.959] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0083.959] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0083.959] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.959] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0083.960] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.960] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0083.960] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.960] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.960] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.960] CloseHandle (hObject=0x200) returned 1 [0083.960] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.protected") returned 165 [0083.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.protected")) returned 1 [0083.961] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.961] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.961] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.961] lstrlenA (lpString="EMPTY") returned 5 [0083.961] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.962] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.962] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.962] CloseHandle (hObject=0x1fc) returned 1 [0083.962] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.962] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0083.962] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0083.962] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0083.962] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0083.962] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0083.963] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de") returned 141 [0083.963] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0083.963] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0083.963] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*") returned 143 [0083.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.963] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.963] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.963] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.963] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\.") returned 143 [0083.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.963] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.963] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.963] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.963] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.963] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.963] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.963] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\..") returned 144 [0083.963] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.963] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.963] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.963] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.963] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.964] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.964] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0083.964] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.964] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.964] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.964] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0083.965] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0083.965] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0083.965] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.965] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0083.966] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.966] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0083.966] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.966] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.966] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.966] CloseHandle (hObject=0x200) returned 1 [0083.966] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.protected") returned 165 [0083.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.protected")) returned 1 [0083.967] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.967] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.967] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.967] lstrlenA (lpString="EMPTY") returned 5 [0083.967] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.968] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.968] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.968] CloseHandle (hObject=0x1fc) returned 1 [0083.968] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.968] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0083.968] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0083.968] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0083.968] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0083.968] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0083.969] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el") returned 141 [0083.969] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0083.969] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0083.969] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*") returned 143 [0083.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.969] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.969] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.969] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.969] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.969] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\.") returned 143 [0083.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.969] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.969] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.969] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.969] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.969] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.969] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\..") returned 144 [0083.969] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.969] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.969] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.969] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.969] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.969] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.969] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.970] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.970] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0083.970] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.970] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.970] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.970] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0083.970] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0083.970] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0083.970] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.970] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x112, lpOverlapped=0x0) returned 1 [0083.971] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.971] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x112, lpOverlapped=0x0) returned 1 [0083.971] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.971] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.971] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.972] CloseHandle (hObject=0x200) returned 1 [0083.972] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.protected") returned 165 [0083.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.protected")) returned 1 [0083.972] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.972] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.972] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.973] lstrlenA (lpString="EMPTY") returned 5 [0083.973] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.974] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.974] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.974] CloseHandle (hObject=0x1fc) returned 1 [0083.974] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.974] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0083.974] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0083.974] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0083.974] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0083.974] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0083.974] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB") returned 144 [0083.974] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0083.974] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0083.974] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*") returned 146 [0083.974] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.975] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.975] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.975] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.975] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.975] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.975] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\.") returned 146 [0083.975] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.975] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.975] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.975] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.975] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.975] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.975] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.975] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\..") returned 147 [0083.975] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.975] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.975] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.975] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.975] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.975] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.975] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.975] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.975] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0083.975] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.975] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.975] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.975] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0083.978] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0083.978] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.978] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0083.979] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.979] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd6, lpOverlapped=0x0) returned 1 [0083.979] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.979] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd6, lpOverlapped=0x0) returned 1 [0083.980] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.980] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.980] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.980] CloseHandle (hObject=0x200) returned 1 [0083.980] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0083.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0083.981] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.981] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.981] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0083.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.981] lstrlenA (lpString="EMPTY") returned 5 [0083.981] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.982] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.982] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.982] CloseHandle (hObject=0x1fc) returned 1 [0083.982] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.982] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0083.982] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0083.982] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0083.982] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0083.983] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0083.983] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US") returned 144 [0083.983] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0083.983] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0083.983] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*") returned 146 [0083.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.983] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.983] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.983] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.983] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.983] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.983] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\.") returned 146 [0083.983] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.983] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.983] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.983] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.983] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.983] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.983] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.983] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\..") returned 147 [0083.983] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.984] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.984] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.984] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.984] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.984] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.984] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.984] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0083.984] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.984] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.984] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.984] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0083.984] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0083.984] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0083.984] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.984] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0083.985] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.985] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0083.985] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.985] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.986] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.986] CloseHandle (hObject=0x200) returned 1 [0083.986] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json.protected") returned 168 [0083.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0083.986] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.986] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.986] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0083.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.987] lstrlenA (lpString="EMPTY") returned 5 [0083.987] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.988] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.988] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.988] CloseHandle (hObject=0x1fc) returned 1 [0083.988] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.988] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0083.988] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0083.988] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0083.988] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0083.988] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0083.988] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es") returned 141 [0083.988] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0083.988] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0083.988] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*") returned 143 [0083.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.989] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\.") returned 143 [0083.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.989] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.989] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.989] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.989] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.989] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\..") returned 144 [0083.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.989] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.990] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.990] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.990] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.990] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.990] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.990] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0083.990] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.990] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.990] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.990] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0083.990] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0083.990] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.990] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0083.990] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.990] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0083.991] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.991] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0083.991] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.991] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.991] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.992] CloseHandle (hObject=0x200) returned 1 [0083.992] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.protected") returned 165 [0083.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.protected")) returned 1 [0083.992] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.992] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.992] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0083.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.993] lstrlenA (lpString="EMPTY") returned 5 [0083.993] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.993] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.993] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.994] CloseHandle (hObject=0x1fc) returned 1 [0083.994] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.994] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0083.994] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0083.994] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0083.994] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0083.994] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0083.994] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419") returned 145 [0083.994] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0083.994] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0083.994] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*") returned 147 [0083.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0083.994] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.994] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.994] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.994] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.994] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.994] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\.") returned 147 [0083.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.994] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.995] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.995] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.995] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.995] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.995] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.995] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\..") returned 148 [0083.995] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.995] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.995] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0083.995] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0083.995] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0083.995] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0083.995] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0083.995] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0083.995] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0083.995] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0083.995] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0083.995] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0083.995] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0083.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0083.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0083.995] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0083.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0083.995] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0083.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0083.995] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0083.996] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0083.996] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.996] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0083.997] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.997] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0083.997] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0083.997] CloseHandle (hObject=0x200) returned 1 [0083.997] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.protected") returned 169 [0083.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0083.997] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0083.997] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0083.998] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0083.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0083.998] lstrlenA (lpString="EMPTY") returned 5 [0083.998] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0083.999] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0083.999] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0083.999] CloseHandle (hObject=0x1fc) returned 1 [0083.999] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0083.999] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0083.999] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0083.999] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0083.999] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0083.999] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0083.999] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et") returned 141 [0083.999] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0083.999] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0083.999] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*") returned 143 [0083.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.000] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\.") returned 143 [0084.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.000] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.000] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.000] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.001] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.001] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.001] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\..") returned 144 [0084.001] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.001] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.001] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.001] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.001] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.001] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.001] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.001] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.001] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.001] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.001] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.001] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.001] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.001] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.002] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.002] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.002] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd6, lpOverlapped=0x0) returned 1 [0084.002] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.002] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd6, lpOverlapped=0x0) returned 1 [0084.003] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.003] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.003] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.003] CloseHandle (hObject=0x200) returned 1 [0084.003] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.protected") returned 165 [0084.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.protected")) returned 1 [0084.004] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.004] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.004] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.004] lstrlenA (lpString="EMPTY") returned 5 [0084.005] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.005] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.005] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.006] CloseHandle (hObject=0x1fc) returned 1 [0084.006] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.006] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0084.006] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0084.006] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0084.006] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0084.006] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0084.006] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi") returned 141 [0084.006] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0084.006] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0084.006] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*") returned 143 [0084.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.006] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.006] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.006] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.006] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.006] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.006] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\.") returned 143 [0084.006] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.006] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.007] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.007] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.007] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.007] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.007] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\..") returned 144 [0084.007] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.007] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.007] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.007] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.007] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.007] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.007] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.007] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.007] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.007] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.007] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.007] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.007] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.008] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.008] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.008] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.008] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.009] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.009] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.009] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.009] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.009] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.009] CloseHandle (hObject=0x200) returned 1 [0084.009] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.protected") returned 165 [0084.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.protected")) returned 1 [0084.010] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.010] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.010] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.010] lstrlenA (lpString="EMPTY") returned 5 [0084.010] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.011] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.011] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.011] CloseHandle (hObject=0x1fc) returned 1 [0084.011] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.011] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0084.011] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0084.011] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0084.012] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0084.012] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0084.012] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil") returned 142 [0084.012] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0084.012] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0084.012] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*") returned 144 [0084.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.013] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.013] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.013] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.013] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.013] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.013] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\.") returned 144 [0084.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.013] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.013] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.013] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.013] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.013] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.013] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.013] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\..") returned 145 [0084.013] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.013] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.013] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.013] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.013] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.013] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.013] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.013] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.013] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.013] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.013] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.013] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.014] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.014] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.014] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.014] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0084.015] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.015] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0084.015] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.015] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.015] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.015] CloseHandle (hObject=0x200) returned 1 [0084.015] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.protected") returned 166 [0084.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.protected")) returned 1 [0084.016] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.016] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.016] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0084.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.017] lstrlenA (lpString="EMPTY") returned 5 [0084.017] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.017] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.017] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.018] CloseHandle (hObject=0x1fc) returned 1 [0084.018] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.018] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0084.018] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0084.018] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0084.018] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0084.018] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0084.018] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr") returned 141 [0084.018] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0084.018] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0084.018] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*") returned 143 [0084.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.018] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.018] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.018] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.018] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\.") returned 143 [0084.018] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.019] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.019] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\..") returned 144 [0084.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.019] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.019] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.019] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.019] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.019] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.019] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.019] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.019] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.019] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.019] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.019] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.019] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.019] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.020] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.020] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.020] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.020] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.020] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.021] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.021] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.021] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.021] CloseHandle (hObject=0x200) returned 1 [0084.021] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.protected") returned 165 [0084.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.protected")) returned 1 [0084.021] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.022] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.022] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.022] lstrlenA (lpString="EMPTY") returned 5 [0084.022] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.023] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.023] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.023] CloseHandle (hObject=0x1fc) returned 1 [0084.023] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.023] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0084.023] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0084.023] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0084.023] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0084.023] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0084.023] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he") returned 141 [0084.023] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0084.023] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0084.023] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*") returned 143 [0084.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.024] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.024] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.024] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.024] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.024] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.024] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\.") returned 143 [0084.024] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.024] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.024] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.024] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.024] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.024] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.024] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.024] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\..") returned 144 [0084.024] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.024] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.025] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.025] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.025] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.025] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.025] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.025] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.025] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.025] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.025] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.025] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.025] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.025] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.025] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.025] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.025] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe1, lpOverlapped=0x0) returned 1 [0084.026] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.026] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe1, lpOverlapped=0x0) returned 1 [0084.026] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.026] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.027] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.027] CloseHandle (hObject=0x200) returned 1 [0084.027] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.protected") returned 165 [0084.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.protected")) returned 1 [0084.027] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.027] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.027] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.028] lstrlenA (lpString="EMPTY") returned 5 [0084.028] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.028] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.028] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.029] CloseHandle (hObject=0x1fc) returned 1 [0084.029] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.029] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0084.029] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0084.029] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0084.029] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0084.029] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0084.029] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi") returned 141 [0084.029] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0084.029] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0084.029] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*") returned 143 [0084.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.029] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.029] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.029] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.029] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.029] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.029] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\.") returned 143 [0084.029] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.029] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.029] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.030] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.030] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.030] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.030] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.030] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\..") returned 144 [0084.030] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.030] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.030] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.030] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.030] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.030] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.030] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.030] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.030] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.030] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.030] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.030] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.030] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.031] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.031] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.031] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.031] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x123, lpOverlapped=0x0) returned 1 [0084.032] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffedd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.032] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x123, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x123, lpOverlapped=0x0) returned 1 [0084.032] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.032] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.032] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.032] CloseHandle (hObject=0x200) returned 1 [0084.032] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.protected") returned 165 [0084.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.protected")) returned 1 [0084.033] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.033] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.033] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.033] lstrlenA (lpString="EMPTY") returned 5 [0084.033] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.034] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.034] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.034] CloseHandle (hObject=0x1fc) returned 1 [0084.034] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.034] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0084.034] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0084.034] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0084.034] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0084.034] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0084.034] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu") returned 141 [0084.034] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0084.034] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0084.035] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*") returned 143 [0084.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.037] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.037] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.037] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.037] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.037] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.037] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\.") returned 143 [0084.037] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.037] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.038] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.038] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.038] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.038] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.038] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.038] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\..") returned 144 [0084.038] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.038] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.038] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.038] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.038] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.038] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.038] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.038] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.038] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.038] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.038] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.038] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.038] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.038] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.039] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.039] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.039] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0084.039] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.040] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0084.040] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.040] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.040] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.040] CloseHandle (hObject=0x200) returned 1 [0084.040] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.protected") returned 165 [0084.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.protected")) returned 1 [0084.041] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.041] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.041] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.041] lstrlenA (lpString="EMPTY") returned 5 [0084.041] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.042] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.042] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.042] CloseHandle (hObject=0x1fc) returned 1 [0084.042] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.042] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0084.042] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0084.042] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0084.042] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0084.042] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0084.042] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id") returned 141 [0084.043] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0084.043] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0084.043] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*") returned 143 [0084.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.043] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.043] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.043] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.043] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.043] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\.") returned 143 [0084.043] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.043] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.043] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.043] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.043] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.043] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.043] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.043] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\..") returned 144 [0084.043] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.043] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.043] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.043] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.043] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.043] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.044] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.044] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.044] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.044] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.044] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.044] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.044] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.044] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.044] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.044] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0084.045] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.045] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0084.045] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.046] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.046] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.046] CloseHandle (hObject=0x200) returned 1 [0084.049] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.protected") returned 165 [0084.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.protected")) returned 1 [0084.049] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.049] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.049] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.050] lstrlenA (lpString="EMPTY") returned 5 [0084.050] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.050] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.050] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.051] CloseHandle (hObject=0x1fc) returned 1 [0084.051] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.051] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0084.051] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0084.051] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0084.051] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0084.051] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0084.051] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it") returned 141 [0084.051] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0084.051] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0084.051] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*") returned 143 [0084.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.052] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.052] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.052] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.052] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.052] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.052] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\.") returned 143 [0084.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.052] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.052] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.052] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.052] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.052] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.052] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.052] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\..") returned 144 [0084.052] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.052] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.052] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.052] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.052] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.052] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.053] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.053] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.053] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.053] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.053] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.053] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.053] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.053] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.053] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.053] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.055] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.055] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.055] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.055] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.055] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.056] CloseHandle (hObject=0x200) returned 1 [0084.056] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.protected") returned 165 [0084.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.protected")) returned 1 [0084.056] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.056] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.056] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.057] lstrlenA (lpString="EMPTY") returned 5 [0084.057] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.057] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.057] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.058] CloseHandle (hObject=0x1fc) returned 1 [0084.058] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.058] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0084.058] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0084.058] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0084.058] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0084.058] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0084.058] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja") returned 141 [0084.058] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0084.058] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0084.058] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*") returned 143 [0084.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.058] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.058] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.058] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\.") returned 143 [0084.058] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.058] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.059] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.059] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.059] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.059] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\..") returned 144 [0084.059] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.059] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.059] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.059] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.059] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.059] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.059] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.059] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.059] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.059] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.059] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.059] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.059] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.059] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.059] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.059] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.059] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.059] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.059] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.059] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xec, lpOverlapped=0x0) returned 1 [0084.060] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.060] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xec, lpOverlapped=0x0) returned 1 [0084.060] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.061] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.061] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.061] CloseHandle (hObject=0x200) returned 1 [0084.061] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.protected") returned 165 [0084.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.protected")) returned 1 [0084.061] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.062] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.062] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.062] lstrlenA (lpString="EMPTY") returned 5 [0084.062] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.063] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.063] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.063] CloseHandle (hObject=0x1fc) returned 1 [0084.063] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.063] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0084.063] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0084.063] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0084.063] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0084.063] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0084.063] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko") returned 141 [0084.063] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0084.063] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0084.063] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*") returned 143 [0084.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.064] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\.") returned 143 [0084.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.064] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.064] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.065] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\..") returned 144 [0084.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.065] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.065] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.065] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.065] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.065] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.065] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.065] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.065] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.065] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.065] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.065] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.065] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.065] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.065] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.065] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0084.066] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.066] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0084.066] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.066] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.066] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.066] CloseHandle (hObject=0x200) returned 1 [0084.066] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.protected") returned 165 [0084.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.protected")) returned 1 [0084.067] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.067] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.067] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.067] lstrlenA (lpString="EMPTY") returned 5 [0084.067] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.068] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.068] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.068] CloseHandle (hObject=0x1fc) returned 1 [0084.068] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.068] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0084.068] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0084.068] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0084.068] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0084.068] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0084.068] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt") returned 141 [0084.068] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0084.068] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0084.068] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*") returned 143 [0084.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.068] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.068] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.068] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.068] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.069] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\.") returned 143 [0084.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.069] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.069] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.069] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.069] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\..") returned 144 [0084.069] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.069] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.069] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.069] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.069] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.069] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.069] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.069] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.069] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.069] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.069] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.069] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.069] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.069] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.069] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.069] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.069] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe4, lpOverlapped=0x0) returned 1 [0084.070] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.070] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe4, lpOverlapped=0x0) returned 1 [0084.070] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.070] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.070] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.070] CloseHandle (hObject=0x200) returned 1 [0084.070] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.protected") returned 165 [0084.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.protected")) returned 1 [0084.071] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.071] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.071] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.071] lstrlenA (lpString="EMPTY") returned 5 [0084.071] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.072] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.072] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.072] CloseHandle (hObject=0x1fc) returned 1 [0084.072] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.072] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0084.072] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0084.072] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0084.072] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0084.072] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0084.072] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv") returned 141 [0084.072] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0084.072] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0084.072] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*") returned 143 [0084.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.073] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\.") returned 143 [0084.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.073] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.073] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\..") returned 144 [0084.073] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.073] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.073] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.073] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.073] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.073] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.073] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.073] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.073] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.073] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.073] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.073] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.074] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.074] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.074] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.074] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe9, lpOverlapped=0x0) returned 1 [0084.074] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.074] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe9, lpOverlapped=0x0) returned 1 [0084.075] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.075] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.075] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.075] CloseHandle (hObject=0x200) returned 1 [0084.075] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.protected") returned 165 [0084.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.protected")) returned 1 [0084.075] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.075] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.075] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.076] lstrlenA (lpString="EMPTY") returned 5 [0084.076] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.076] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.076] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.076] CloseHandle (hObject=0x1fc) returned 1 [0084.077] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.077] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0084.077] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0084.077] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0084.077] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0084.077] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0084.077] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms") returned 141 [0084.077] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0084.077] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0084.077] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*") returned 143 [0084.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.077] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.077] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\.") returned 143 [0084.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.077] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.077] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.077] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.077] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.077] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\..") returned 144 [0084.077] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.077] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.077] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.077] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.077] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.077] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.078] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.078] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.078] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.078] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.078] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.078] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.078] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.078] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.078] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.078] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0084.079] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.079] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0084.079] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.079] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.079] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.079] CloseHandle (hObject=0x200) returned 1 [0084.079] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.protected") returned 165 [0084.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.protected")) returned 1 [0084.080] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.080] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.080] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.080] lstrlenA (lpString="EMPTY") returned 5 [0084.080] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.081] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.081] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.081] CloseHandle (hObject=0x1fc) returned 1 [0084.081] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.081] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0084.081] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0084.081] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0084.081] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0084.081] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0084.081] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl") returned 141 [0084.081] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0084.081] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0084.081] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*") returned 143 [0084.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.082] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.082] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.082] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.082] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.082] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.082] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\.") returned 143 [0084.082] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.082] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.082] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.082] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.082] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.082] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.082] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.082] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\..") returned 144 [0084.082] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.082] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.082] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.082] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.082] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.082] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.083] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.083] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.083] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.083] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.083] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.083] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.083] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.083] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.083] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.083] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.083] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.084] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.084] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.084] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.084] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.084] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.084] CloseHandle (hObject=0x200) returned 1 [0084.084] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.protected") returned 165 [0084.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.protected")) returned 1 [0084.085] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.085] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.085] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.085] lstrlenA (lpString="EMPTY") returned 5 [0084.085] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.085] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.085] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.086] CloseHandle (hObject=0x1fc) returned 1 [0084.086] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.086] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0084.086] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0084.086] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0084.086] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0084.086] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0084.086] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no") returned 141 [0084.086] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0084.086] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0084.086] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*") returned 143 [0084.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.086] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.086] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.086] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.086] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.086] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.086] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\.") returned 143 [0084.086] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.086] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.086] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.086] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.086] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.086] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.086] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.086] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\..") returned 144 [0084.086] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.086] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.086] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.086] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.087] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.087] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.087] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.087] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.087] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.087] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.087] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.087] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.087] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.087] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.087] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.087] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xcb, lpOverlapped=0x0) returned 1 [0084.088] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.088] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xcb, lpOverlapped=0x0) returned 1 [0084.088] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.088] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.088] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.088] CloseHandle (hObject=0x200) returned 1 [0084.088] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.protected") returned 165 [0084.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.protected")) returned 1 [0084.089] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.089] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.089] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.089] lstrlenA (lpString="EMPTY") returned 5 [0084.089] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.090] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.090] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.090] CloseHandle (hObject=0x1fc) returned 1 [0084.090] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.090] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0084.090] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0084.090] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0084.090] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0084.090] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0084.090] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl") returned 141 [0084.090] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0084.090] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0084.090] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*") returned 143 [0084.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.091] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\.") returned 143 [0084.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.091] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.091] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\..") returned 144 [0084.091] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.091] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.091] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.091] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.091] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.091] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.091] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.091] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.091] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.091] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.091] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.091] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.092] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.092] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.092] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.092] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.093] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.093] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.093] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.093] CloseHandle (hObject=0x200) returned 1 [0084.094] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.protected") returned 165 [0084.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.protected")) returned 1 [0084.094] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.094] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.094] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.095] lstrlenA (lpString="EMPTY") returned 5 [0084.095] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.095] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.095] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.095] CloseHandle (hObject=0x1fc) returned 1 [0084.095] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.095] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0084.095] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0084.096] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0084.096] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0084.096] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0084.096] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR") returned 144 [0084.096] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0084.096] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0084.096] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*") returned 146 [0084.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.096] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.096] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.096] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.096] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\.") returned 146 [0084.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.096] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.096] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.096] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.096] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.096] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.096] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\..") returned 147 [0084.096] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.096] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.096] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.096] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.096] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.096] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.096] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.096] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.096] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.097] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.097] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.097] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.097] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.097] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.097] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.097] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.098] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.098] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.098] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.098] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.098] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.098] CloseHandle (hObject=0x200) returned 1 [0084.098] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0084.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0084.099] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.099] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.099] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.099] lstrlenA (lpString="EMPTY") returned 5 [0084.099] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.100] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.100] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.100] CloseHandle (hObject=0x1fc) returned 1 [0084.100] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.100] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0084.100] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0084.100] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0084.100] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0084.100] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0084.100] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT") returned 144 [0084.100] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0084.100] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0084.100] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*") returned 146 [0084.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.101] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.101] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.101] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.101] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\.") returned 146 [0084.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.101] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.101] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.101] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.101] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\..") returned 147 [0084.101] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.101] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.101] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.101] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.101] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.101] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.101] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.101] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.102] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.102] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.102] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.102] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.102] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.102] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.102] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.102] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0084.103] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.103] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0084.103] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.103] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.103] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.103] CloseHandle (hObject=0x200) returned 1 [0084.104] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0084.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0084.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.104] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.104] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.105] lstrlenA (lpString="EMPTY") returned 5 [0084.105] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.105] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.105] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.105] CloseHandle (hObject=0x1fc) returned 1 [0084.105] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.105] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0084.105] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0084.105] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0084.105] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0084.105] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0084.106] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro") returned 141 [0084.106] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0084.106] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0084.106] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*") returned 143 [0084.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.106] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.106] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.106] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.106] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.106] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.106] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\.") returned 143 [0084.106] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.106] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.106] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.106] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.106] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.106] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.106] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.106] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\..") returned 144 [0084.106] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.106] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.106] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.106] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.106] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.106] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.106] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.106] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.106] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.106] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.106] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.106] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.106] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.107] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.107] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.107] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.107] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.107] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.107] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.108] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.108] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.108] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.108] CloseHandle (hObject=0x200) returned 1 [0084.108] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.protected") returned 165 [0084.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.protected")) returned 1 [0084.108] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.108] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.108] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.109] lstrlenA (lpString="EMPTY") returned 5 [0084.109] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.109] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.109] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.109] CloseHandle (hObject=0x1fc) returned 1 [0084.110] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.110] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0084.110] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0084.110] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0084.110] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0084.110] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0084.110] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru") returned 141 [0084.110] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0084.110] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0084.110] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*") returned 143 [0084.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.111] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\.") returned 143 [0084.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.111] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.111] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.111] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\..") returned 144 [0084.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.111] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.112] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.112] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.112] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.112] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.112] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.112] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.112] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.112] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.112] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.112] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.112] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.112] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.112] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.112] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x110, lpOverlapped=0x0) returned 1 [0084.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.113] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x110, lpOverlapped=0x0) returned 1 [0084.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.113] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.114] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.114] CloseHandle (hObject=0x200) returned 1 [0084.114] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.protected") returned 165 [0084.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.protected")) returned 1 [0084.114] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.114] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.114] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.115] lstrlenA (lpString="EMPTY") returned 5 [0084.115] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.116] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.116] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.116] CloseHandle (hObject=0x1fc) returned 1 [0084.116] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.116] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0084.116] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0084.116] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0084.116] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0084.116] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0084.116] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk") returned 141 [0084.116] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0084.116] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0084.116] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*") returned 143 [0084.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.116] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\.") returned 143 [0084.116] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.117] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.117] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\..") returned 144 [0084.117] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.117] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.117] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.117] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.117] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.117] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.117] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.117] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.117] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.117] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.117] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.118] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.118] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.118] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0084.119] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.119] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0084.119] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.119] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.119] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.119] CloseHandle (hObject=0x200) returned 1 [0084.119] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.protected") returned 165 [0084.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.protected")) returned 1 [0084.120] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.120] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.120] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.120] lstrlenA (lpString="EMPTY") returned 5 [0084.120] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.121] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.121] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.121] CloseHandle (hObject=0x1fc) returned 1 [0084.121] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.121] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0084.121] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0084.121] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0084.121] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0084.121] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0084.121] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl") returned 141 [0084.122] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0084.122] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0084.122] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*") returned 143 [0084.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.122] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.122] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.122] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.122] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.122] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.123] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\.") returned 143 [0084.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.123] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.123] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.123] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.123] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.123] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.123] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.123] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\..") returned 144 [0084.123] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.123] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.123] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.123] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.123] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.123] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.123] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.123] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.123] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.123] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.123] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.123] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.124] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.124] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.124] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.124] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.124] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.124] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0084.124] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.125] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0084.125] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.125] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.125] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.125] CloseHandle (hObject=0x200) returned 1 [0084.125] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.protected") returned 165 [0084.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.protected")) returned 1 [0084.126] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.126] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.126] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.126] lstrlenA (lpString="EMPTY") returned 5 [0084.126] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.127] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.127] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.127] CloseHandle (hObject=0x1fc) returned 1 [0084.127] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.127] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0084.127] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0084.127] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0084.127] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0084.127] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0084.127] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr") returned 141 [0084.127] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0084.128] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0084.128] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*") returned 143 [0084.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.128] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.128] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\.") returned 143 [0084.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.128] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.128] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.128] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.128] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\..") returned 144 [0084.128] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.128] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.128] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.128] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.128] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.128] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.128] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.128] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.128] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.129] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.129] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.129] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.129] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.129] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.129] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.129] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0084.130] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.130] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0084.130] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.130] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.130] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.130] CloseHandle (hObject=0x200) returned 1 [0084.130] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.protected") returned 165 [0084.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.protected")) returned 1 [0084.131] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.131] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.131] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.131] lstrlenA (lpString="EMPTY") returned 5 [0084.131] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.132] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.132] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.132] CloseHandle (hObject=0x1fc) returned 1 [0084.132] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.133] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0084.133] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0084.133] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0084.133] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0084.133] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0084.133] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv") returned 141 [0084.133] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0084.133] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0084.133] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*") returned 143 [0084.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.134] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.134] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.134] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.134] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.134] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.134] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\.") returned 143 [0084.134] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.134] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.134] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.134] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.134] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.134] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.134] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.134] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\..") returned 144 [0084.134] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.134] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.134] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.134] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.134] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.134] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.134] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.134] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.134] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.134] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.134] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.134] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.134] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.135] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.135] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.135] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.135] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.135] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.135] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.135] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0084.136] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.136] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0084.136] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.136] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.136] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.136] CloseHandle (hObject=0x200) returned 1 [0084.136] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.protected") returned 165 [0084.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.protected")) returned 1 [0084.137] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.137] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.137] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.137] lstrlenA (lpString="EMPTY") returned 5 [0084.137] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.138] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.138] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.138] CloseHandle (hObject=0x1fc) returned 1 [0084.138] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.138] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0084.138] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0084.138] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0084.138] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0084.138] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0084.139] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th") returned 141 [0084.139] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0084.139] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0084.139] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*") returned 143 [0084.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.139] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.139] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.139] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.139] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.139] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.139] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\.") returned 143 [0084.139] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.139] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.139] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.139] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.139] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.139] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.139] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.139] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\..") returned 144 [0084.139] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.139] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.139] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.139] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.139] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.139] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.140] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.140] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.140] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.140] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.140] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.140] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.140] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.140] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.140] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.140] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.140] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0084.141] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.141] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0084.141] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.141] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.142] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.142] CloseHandle (hObject=0x200) returned 1 [0084.142] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.protected") returned 165 [0084.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.protected")) returned 1 [0084.142] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.142] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.142] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.143] lstrlenA (lpString="EMPTY") returned 5 [0084.143] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.144] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.144] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.144] CloseHandle (hObject=0x1fc) returned 1 [0084.144] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.144] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0084.144] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0084.144] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0084.144] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0084.144] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0084.144] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr") returned 141 [0084.144] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0084.144] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0084.144] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*") returned 143 [0084.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.145] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.145] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.145] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\.") returned 143 [0084.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.145] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.145] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.146] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.146] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.146] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.146] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.146] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\..") returned 144 [0084.146] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.146] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.146] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.146] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.146] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.146] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.146] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.146] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.146] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.146] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.146] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.146] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.146] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.146] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.146] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.146] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.147] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.147] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.147] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.148] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.148] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.148] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.148] CloseHandle (hObject=0x200) returned 1 [0084.148] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.protected") returned 165 [0084.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.protected")) returned 1 [0084.148] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.148] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.148] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.149] lstrlenA (lpString="EMPTY") returned 5 [0084.149] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.149] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.149] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.149] CloseHandle (hObject=0x1fc) returned 1 [0084.150] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.150] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0084.150] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0084.150] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0084.150] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0084.150] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0084.150] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk") returned 141 [0084.150] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0084.150] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0084.150] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*") returned 143 [0084.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.150] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.150] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.150] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.150] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.150] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.150] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\.") returned 143 [0084.150] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.150] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.150] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.150] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.150] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.150] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.150] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.150] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\..") returned 144 [0084.150] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.150] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.150] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.150] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.150] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.151] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.151] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.151] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.151] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.151] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.151] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.151] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.151] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.151] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.151] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.151] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0x10e, lpOverlapped=0x0) returned 1 [0084.152] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.152] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x10e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0x10e, lpOverlapped=0x0) returned 1 [0084.152] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.152] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.152] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.152] CloseHandle (hObject=0x200) returned 1 [0084.152] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.protected") returned 165 [0084.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.protected")) returned 1 [0084.153] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.153] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.153] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.153] lstrlenA (lpString="EMPTY") returned 5 [0084.153] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.154] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.154] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.154] CloseHandle (hObject=0x1fc) returned 1 [0084.154] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.154] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0084.154] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0084.154] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0084.154] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0084.154] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0084.154] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi") returned 141 [0084.154] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0084.154] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0084.154] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*") returned 143 [0084.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.155] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.155] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\.") returned 143 [0084.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.155] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.155] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.155] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.155] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.155] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.155] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.155] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\..") returned 144 [0084.155] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.155] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.155] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.155] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.155] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.155] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.155] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.155] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.155] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.155] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.156] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.156] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.156] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.156] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xed, lpOverlapped=0x0) returned 1 [0084.157] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.157] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xed, lpOverlapped=0x0) returned 1 [0084.157] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.157] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.157] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.157] CloseHandle (hObject=0x200) returned 1 [0084.157] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.protected") returned 165 [0084.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.protected")) returned 1 [0084.157] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.157] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.158] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.159] lstrlenA (lpString="EMPTY") returned 5 [0084.159] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.159] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.160] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.160] CloseHandle (hObject=0x1fc) returned 1 [0084.160] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.160] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0084.160] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0084.160] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0084.160] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0084.160] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0084.160] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN") returned 144 [0084.160] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0084.160] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0084.160] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*") returned 146 [0084.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.160] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\.") returned 146 [0084.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.160] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.160] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\..") returned 147 [0084.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.161] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.161] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.161] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.161] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.161] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.161] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.161] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.161] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.161] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.161] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.161] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.161] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.161] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.161] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.161] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0084.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.162] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0084.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.162] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.162] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.162] CloseHandle (hObject=0x200) returned 1 [0084.162] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0084.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0084.163] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.163] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.163] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.163] lstrlenA (lpString="EMPTY") returned 5 [0084.163] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.164] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.164] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.164] CloseHandle (hObject=0x1fc) returned 1 [0084.164] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.164] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0084.164] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0084.164] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0084.164] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0084.164] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0084.164] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW") returned 144 [0084.164] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0084.164] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0084.164] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*") returned 146 [0084.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.164] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.164] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.164] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.164] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.164] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\.") returned 146 [0084.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.164] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.164] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.164] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.164] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.164] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.164] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.164] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\..") returned 147 [0084.164] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.164] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.165] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.165] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.165] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.165] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.165] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.165] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.165] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.165] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.165] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.165] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.165] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.165] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.165] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.165] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.165] ReadFile (in: hFile=0x200, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0084.166] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.166] WriteFile (in: hFile=0x200, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0084.166] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.166] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.166] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.166] CloseHandle (hObject=0x200) returned 1 [0084.166] wnsprintfW (in: pszDest=0x2e23180, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0084.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0084.167] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.167] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.167] wnsprintfW (in: pszDest=0x2e13138, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.167] lstrlenA (lpString="EMPTY") returned 5 [0084.167] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.168] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.168] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.168] CloseHandle (hObject=0x1fc) returned 1 [0084.168] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0084.168] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0084.168] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0084.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.169] lstrlenA (lpString="EMPTY") returned 5 [0084.169] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0084.169] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.170] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0084.170] CloseHandle (hObject=0x1f8) returned 1 [0084.170] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.170] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0084.170] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0084.170] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0084.170] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0084.170] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0084.170] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata") returned 139 [0084.170] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0084.170] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0084.170] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*") returned 141 [0084.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0084.170] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.170] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.170] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.170] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.170] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.170] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\.") returned 141 [0084.170] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.171] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.171] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.171] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.171] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.171] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.171] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.171] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\..") returned 142 [0084.171] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.171] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.171] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.171] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0084.171] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0084.171] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0084.171] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0084.171] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0084.171] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.171] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0084.171] lstrcmpW (lpString1="computed_hashes.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0084.171] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0084.171] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0084.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.172] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0084.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.172] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0084.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.172] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0084.172] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x160, lpOverlapped=0x0) returned 1 [0084.172] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.172] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x160, lpOverlapped=0x0) returned 1 [0084.173] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.173] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0084.173] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0084.173] CloseHandle (hObject=0x1fc) returned 1 [0084.173] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.protected") returned 170 [0084.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0084.173] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.173] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0084.173] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0084.173] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0084.173] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0084.174] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0084.174] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.174] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0084.174] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.174] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0084.174] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0084.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.174] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0084.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.174] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0084.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.174] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0084.174] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0084.239] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.239] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0084.239] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.240] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0084.240] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0084.240] CloseHandle (hObject=0x1fc) returned 1 [0084.240] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.protected") returned 172 [0084.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.protected")) returned 1 [0084.241] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0084.241] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0084.241] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 169 [0084.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.242] lstrlenA (lpString="EMPTY") returned 5 [0084.242] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0084.243] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.243] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0084.243] CloseHandle (hObject=0x1f8) returned 1 [0084.243] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0084.243] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0084.245] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 159 [0084.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0084.245] lstrlenA (lpString="EMPTY") returned 5 [0084.245] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0084.246] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.246] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.246] CloseHandle (hObject=0x1f4) returned 1 [0084.246] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0084.246] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0084.246] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0084.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0084.247] lstrlenA (lpString="EMPTY") returned 5 [0084.247] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0084.247] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.247] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0084.247] CloseHandle (hObject=0x1f0) returned 1 [0084.247] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0084.247] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Windows") returned -1 [0084.248] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Program Files") returned -1 [0084.248] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="Program Files (x86)") returned -1 [0084.248] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="$Recycle.bin") returned 1 [0084.248] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="System Volume Information") returned -1 [0084.248] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 123 [0084.248] lstrcmpW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0084.248] lstrcmpW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0084.248] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*") returned 125 [0084.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0084.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.248] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.248] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.248] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.248] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\.") returned 125 [0084.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.248] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0084.248] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.248] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.248] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.248] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.248] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.248] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\..") returned 126 [0084.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.248] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0084.248] lstrcmpiW (lpString1="0.9_0", lpString2="Windows") returned -1 [0084.248] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files") returned -1 [0084.248] lstrcmpiW (lpString1="0.9_0", lpString2="Program Files (x86)") returned -1 [0084.248] lstrcmpiW (lpString1="0.9_0", lpString2="$Recycle.bin") returned 1 [0084.248] lstrcmpiW (lpString1="0.9_0", lpString2="System Volume Information") returned -1 [0084.248] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0") returned 129 [0084.249] lstrcmpW (lpString1="0.9_0", lpString2=".") returned 1 [0084.249] lstrcmpW (lpString1="0.9_0", lpString2="..") returned 1 [0084.249] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*") returned 131 [0084.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0084.369] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.369] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.369] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.369] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.369] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.369] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\.") returned 131 [0084.369] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.369] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.369] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.369] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.369] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.369] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.369] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.369] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\..") returned 132 [0084.369] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.369] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.369] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.369] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0084.369] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0084.369] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0084.369] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0084.369] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0084.369] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0084.369] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0084.369] lstrcmpW (lpString1="icon_128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.369] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.369] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.388] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0084.388] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0084.388] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0084.388] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0084.388] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0084.388] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0084.389] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xc8d, lpOverlapped=0x0) returned 1 [0084.452] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff373, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.452] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xc8d, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xc8d, lpOverlapped=0x0) returned 1 [0084.453] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.453] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.453] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.453] CloseHandle (hObject=0x1f8) returned 1 [0084.453] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.protected") returned 152 [0084.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.protected")) returned 1 [0084.454] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.454] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0084.454] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0084.454] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0084.454] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0084.454] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0084.454] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0084.454] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0084.454] lstrcmpW (lpString1="icon_16.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.454] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.454] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0084.455] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0084.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0084.455] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0084.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0084.455] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0084.455] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x8f, lpOverlapped=0x0) returned 1 [0084.456] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffff71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.456] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x8f, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x8f, lpOverlapped=0x0) returned 1 [0084.456] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.457] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.457] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.457] CloseHandle (hObject=0x1f8) returned 1 [0084.457] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.protected") returned 151 [0084.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.protected")) returned 1 [0084.458] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.458] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0084.458] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0084.458] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0084.458] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0084.458] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0084.458] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0084.458] StrStrIW (lpFirst="main.html", lpSrch=".protected") returned 0x0 [0084.458] lstrcmpW (lpString1="main.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.458] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.458] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.458] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0084.458] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0084.458] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0084.458] StrStrW (lpFirst="main.html", lpSrch=".rar") returned 0x0 [0084.458] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0084.458] StrStrW (lpFirst="main.html", lpSrch=".zip") returned 0x0 [0084.459] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5c, lpOverlapped=0x0) returned 1 [0084.459] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.459] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5c, lpOverlapped=0x0) returned 1 [0084.460] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.460] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.460] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.460] CloseHandle (hObject=0x1f8) returned 1 [0084.461] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.protected") returned 149 [0084.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.protected")) returned 1 [0084.462] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.462] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0084.462] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0084.462] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0084.462] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0084.462] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0084.462] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0084.462] StrStrIW (lpFirst="main.js", lpSrch=".protected") returned 0x0 [0084.462] lstrcmpW (lpString1="main.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.462] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.462] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0084.462] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0084.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0084.462] StrStrW (lpFirst="main.js", lpSrch=".rar") returned 0x0 [0084.462] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0084.462] StrStrW (lpFirst="main.js", lpSrch=".zip") returned 0x0 [0084.462] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5b, lpOverlapped=0x0) returned 1 [0084.463] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffffa5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.463] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5b, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5b, lpOverlapped=0x0) returned 1 [0084.464] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.464] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.464] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.464] CloseHandle (hObject=0x1f8) returned 1 [0084.465] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.protected") returned 147 [0084.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.protected")) returned 1 [0084.465] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.465] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0084.465] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0084.465] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0084.465] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0084.465] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0084.465] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0084.465] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0084.465] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.465] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.465] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0084.466] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0084.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0084.466] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0084.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0084.466] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0084.466] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2d5, lpOverlapped=0x0) returned 1 [0084.467] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.467] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2d5, lpOverlapped=0x0) returned 1 [0084.468] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.468] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.468] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.468] CloseHandle (hObject=0x1f8) returned 1 [0084.469] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.protected") returned 153 [0084.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.protected")) returned 1 [0084.469] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.469] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0084.469] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0084.469] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0084.469] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0084.469] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0084.469] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales") returned 138 [0084.469] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0084.469] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0084.469] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*") returned 140 [0084.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0084.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.521] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\.") returned 140 [0084.521] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.521] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.521] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.521] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.521] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.522] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\..") returned 141 [0084.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.522] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.522] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0084.522] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0084.522] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0084.522] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0084.522] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0084.522] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar") returned 141 [0084.522] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0084.522] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0084.522] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*") returned 143 [0084.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.522] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\.") returned 143 [0084.523] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.523] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.523] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.523] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.523] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.523] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.523] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.523] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\..") returned 144 [0084.523] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.523] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.523] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.523] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.523] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.523] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.523] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.523] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.523] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0084.523] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.523] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.523] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.523] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0084.523] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0084.523] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0084.523] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.524] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf6, lpOverlapped=0x0) returned 1 [0084.524] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.524] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf6, lpOverlapped=0x0) returned 1 [0084.524] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.524] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.525] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.525] CloseHandle (hObject=0x200) returned 1 [0084.525] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.protected") returned 165 [0084.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.protected")) returned 1 [0084.525] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.525] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.526] lstrlenA (lpString="EMPTY") returned 5 [0084.526] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.526] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.526] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.527] CloseHandle (hObject=0x1fc) returned 1 [0084.527] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.527] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0084.527] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0084.527] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0084.527] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0084.527] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0084.527] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg") returned 141 [0084.527] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0084.527] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0084.527] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*") returned 143 [0084.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.527] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.527] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.527] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.527] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.527] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.527] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\.") returned 143 [0084.527] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.527] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.527] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.527] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.527] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.527] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.527] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.527] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\..") returned 144 [0084.527] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.527] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.527] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.527] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.527] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.528] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.528] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.528] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.528] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0084.528] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.528] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.528] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.528] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0084.548] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0084.548] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0084.548] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.549] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0084.549] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.549] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0084.549] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.549] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.550] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.550] CloseHandle (hObject=0x200) returned 1 [0084.550] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.protected") returned 165 [0084.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.protected")) returned 1 [0084.550] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.551] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.551] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.551] lstrlenA (lpString="EMPTY") returned 5 [0084.551] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.552] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.552] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.552] CloseHandle (hObject=0x1fc) returned 1 [0084.552] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.552] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0084.552] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0084.552] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0084.552] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0084.552] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0084.552] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca") returned 141 [0084.552] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0084.552] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0084.552] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*") returned 143 [0084.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.552] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\.") returned 143 [0084.553] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.553] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.553] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.553] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.553] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.553] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.553] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.553] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\..") returned 144 [0084.553] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.553] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.553] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.553] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.553] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.553] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.553] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.553] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.553] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0084.553] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.553] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.553] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.553] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0084.553] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0084.553] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0084.553] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.554] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0084.554] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.554] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0084.554] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.555] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.555] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.555] CloseHandle (hObject=0x200) returned 1 [0084.555] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.protected") returned 165 [0084.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.protected")) returned 1 [0084.555] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.555] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.555] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.556] lstrlenA (lpString="EMPTY") returned 5 [0084.556] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.556] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.556] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.556] CloseHandle (hObject=0x1fc) returned 1 [0084.557] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.557] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0084.557] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0084.557] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0084.557] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0084.557] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0084.557] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs") returned 141 [0084.557] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0084.557] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0084.557] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*") returned 143 [0084.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.557] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.557] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.557] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.557] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.557] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.557] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\.") returned 143 [0084.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.557] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.557] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.557] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.557] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.557] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\..") returned 144 [0084.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.557] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.557] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.557] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.557] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.557] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.558] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.558] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0084.558] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.558] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.558] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.558] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0084.558] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0084.558] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.559] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0084.559] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.559] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.559] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.559] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0084.559] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.559] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.560] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.560] CloseHandle (hObject=0x200) returned 1 [0084.560] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.protected") returned 165 [0084.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.protected")) returned 1 [0084.560] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.560] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.560] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.561] lstrlenA (lpString="EMPTY") returned 5 [0084.561] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.561] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.561] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.561] CloseHandle (hObject=0x1fc) returned 1 [0084.562] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.562] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0084.562] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0084.562] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0084.562] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0084.562] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0084.562] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da") returned 141 [0084.562] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0084.562] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0084.562] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*") returned 143 [0084.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.562] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.562] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.562] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.562] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.562] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.562] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\.") returned 143 [0084.562] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.562] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.562] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.562] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.562] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\..") returned 144 [0084.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.562] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.562] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.562] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.563] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.563] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0084.563] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.563] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.563] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.563] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.563] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0084.563] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.563] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0084.563] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.563] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0084.563] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.563] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0084.564] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.564] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0084.564] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.564] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.564] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.564] CloseHandle (hObject=0x200) returned 1 [0084.564] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.protected") returned 165 [0084.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.protected")) returned 1 [0084.565] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.565] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.565] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.565] lstrlenA (lpString="EMPTY") returned 5 [0084.565] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.566] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.566] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.566] CloseHandle (hObject=0x1fc) returned 1 [0084.566] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.566] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0084.566] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0084.566] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0084.566] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0084.566] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0084.566] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de") returned 141 [0084.566] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0084.566] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0084.566] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*") returned 143 [0084.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.566] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.566] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.566] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.566] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.566] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.566] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\.") returned 143 [0084.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.566] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.567] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\..") returned 144 [0084.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.567] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.567] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.567] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.567] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.567] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.567] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.567] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0084.567] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.567] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.567] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.567] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0084.568] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0084.568] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0084.568] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.568] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.569] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.569] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.569] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.569] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.569] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.569] CloseHandle (hObject=0x200) returned 1 [0084.569] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.protected") returned 165 [0084.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.protected")) returned 1 [0084.569] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.569] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.570] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.570] lstrlenA (lpString="EMPTY") returned 5 [0084.570] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.570] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.570] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.571] CloseHandle (hObject=0x1fc) returned 1 [0084.571] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.571] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0084.571] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0084.571] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0084.571] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0084.571] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0084.571] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el") returned 141 [0084.571] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0084.571] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0084.571] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*") returned 143 [0084.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.571] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.571] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.571] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.571] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.571] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.571] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\.") returned 143 [0084.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.571] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.571] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.571] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.571] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.571] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.571] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.571] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\..") returned 144 [0084.571] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.571] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.571] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.571] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.572] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.572] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.572] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.572] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0084.572] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.572] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.572] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.572] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0084.572] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0084.572] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0084.572] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.572] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0084.573] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.573] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0084.573] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.573] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.573] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.573] CloseHandle (hObject=0x200) returned 1 [0084.573] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.protected") returned 165 [0084.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.protected")) returned 1 [0084.574] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.574] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.574] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.574] lstrlenA (lpString="EMPTY") returned 5 [0084.574] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.575] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.575] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.575] CloseHandle (hObject=0x1fc) returned 1 [0084.575] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.575] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0084.575] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0084.575] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0084.575] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0084.575] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0084.575] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB") returned 144 [0084.575] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0084.575] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0084.575] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*") returned 146 [0084.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.575] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.575] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.575] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.575] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.575] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.576] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\.") returned 146 [0084.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.576] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.576] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\..") returned 147 [0084.576] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.576] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.576] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.576] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.576] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.576] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.576] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.576] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.576] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0084.576] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.576] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.576] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.576] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.577] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0084.577] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.577] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0084.577] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.577] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0084.577] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.577] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0084.578] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.578] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0084.578] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.578] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.578] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.578] CloseHandle (hObject=0x200) returned 1 [0084.578] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0084.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0084.579] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.579] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.579] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.579] lstrlenA (lpString="EMPTY") returned 5 [0084.579] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.580] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.580] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.580] CloseHandle (hObject=0x1fc) returned 1 [0084.580] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.580] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0084.580] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0084.580] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0084.580] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0084.580] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0084.580] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US") returned 144 [0084.580] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0084.580] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0084.580] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*") returned 146 [0084.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.580] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.580] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.580] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.580] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.580] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.580] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\.") returned 146 [0084.580] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.581] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.581] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.581] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.581] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.581] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.581] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.581] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\..") returned 147 [0084.581] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.581] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.581] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.581] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.581] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.581] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.581] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.581] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0084.581] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.581] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.581] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.581] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.582] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0084.582] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.582] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0084.582] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.582] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0084.582] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.582] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0084.582] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.582] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0084.583] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.583] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.583] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.583] CloseHandle (hObject=0x200) returned 1 [0084.583] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json.protected") returned 168 [0084.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0084.583] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.583] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.583] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.584] lstrlenA (lpString="EMPTY") returned 5 [0084.584] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.584] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.584] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.585] CloseHandle (hObject=0x1fc) returned 1 [0084.585] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.585] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0084.585] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0084.585] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0084.585] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0084.585] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0084.585] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es") returned 141 [0084.585] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0084.585] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0084.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*") returned 143 [0084.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\.") returned 143 [0084.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.585] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\..") returned 144 [0084.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.585] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.585] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.585] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.585] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0084.585] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.586] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.586] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.586] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0084.586] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0084.586] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0084.586] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.586] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.587] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.587] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.587] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.587] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.587] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.587] CloseHandle (hObject=0x200) returned 1 [0084.587] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.protected") returned 165 [0084.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.protected")) returned 1 [0084.587] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.587] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.588] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.589] lstrlenA (lpString="EMPTY") returned 5 [0084.589] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.589] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.590] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.590] CloseHandle (hObject=0x1fc) returned 1 [0084.590] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.590] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0084.590] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0084.590] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0084.590] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0084.590] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0084.590] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419") returned 145 [0084.590] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0084.590] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0084.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*") returned 147 [0084.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.590] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.590] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\.") returned 147 [0084.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.590] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\..") returned 148 [0084.590] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.590] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.590] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.590] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.590] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.591] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.591] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.591] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.591] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0084.591] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.591] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.591] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.591] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0084.592] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0084.592] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0084.592] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.592] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.592] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.592] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.593] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.593] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.593] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.593] CloseHandle (hObject=0x200) returned 1 [0084.593] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.protected") returned 169 [0084.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0084.593] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.593] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.593] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0084.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.594] lstrlenA (lpString="EMPTY") returned 5 [0084.594] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.595] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.595] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.595] CloseHandle (hObject=0x1fc) returned 1 [0084.595] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.595] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0084.595] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0084.595] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0084.595] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0084.595] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0084.595] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et") returned 141 [0084.595] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0084.595] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0084.595] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*") returned 143 [0084.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.595] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.595] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.595] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.596] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\.") returned 143 [0084.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.596] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.596] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.596] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.596] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\..") returned 144 [0084.596] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.596] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.596] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.596] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.596] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.596] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.596] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.596] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.596] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.596] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.596] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.596] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.596] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.596] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.596] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.596] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.597] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0084.597] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.597] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0084.597] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.597] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0084.597] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.597] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.597] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.598] CloseHandle (hObject=0x200) returned 1 [0084.598] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.protected") returned 165 [0084.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.protected")) returned 1 [0084.598] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.598] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.598] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.598] lstrlenA (lpString="EMPTY") returned 5 [0084.599] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.599] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.599] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.599] CloseHandle (hObject=0x1fc) returned 1 [0084.599] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.599] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0084.599] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0084.599] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0084.599] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0084.599] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0084.599] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi") returned 141 [0084.599] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0084.600] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0084.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*") returned 143 [0084.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\.") returned 143 [0084.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.600] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\..") returned 144 [0084.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.600] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.600] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.600] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.600] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.600] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.600] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.600] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.600] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.601] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.601] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0084.601] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.601] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0084.602] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.602] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0084.602] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.602] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.602] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.602] CloseHandle (hObject=0x200) returned 1 [0084.602] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.protected") returned 165 [0084.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.protected")) returned 1 [0084.603] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.603] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.603] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.603] lstrlenA (lpString="EMPTY") returned 5 [0084.603] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.604] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.604] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.604] CloseHandle (hObject=0x1fc) returned 1 [0084.604] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.604] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0084.604] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0084.604] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0084.604] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0084.604] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0084.604] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil") returned 142 [0084.605] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0084.605] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0084.605] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*") returned 144 [0084.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.605] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\.") returned 144 [0084.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.605] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.605] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\..") returned 145 [0084.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.605] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.605] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.605] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.605] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.605] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.605] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.606] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.606] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.606] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.606] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.606] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.606] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.606] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0084.606] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.606] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdb, lpOverlapped=0x0) returned 1 [0084.607] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.607] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdb, lpOverlapped=0x0) returned 1 [0084.607] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.607] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.607] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.607] CloseHandle (hObject=0x200) returned 1 [0084.607] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.protected") returned 166 [0084.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.protected")) returned 1 [0084.608] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.608] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.608] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0084.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.608] lstrlenA (lpString="EMPTY") returned 5 [0084.608] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.609] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.609] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.609] CloseHandle (hObject=0x1fc) returned 1 [0084.609] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.609] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0084.609] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0084.609] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0084.609] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0084.609] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0084.609] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr") returned 141 [0084.609] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0084.609] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0084.609] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*") returned 143 [0084.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\.") returned 143 [0084.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.610] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\..") returned 144 [0084.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.610] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.610] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.610] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.610] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.610] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.610] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.610] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.611] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.611] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0084.611] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.611] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0084.612] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.612] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0084.612] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.612] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.612] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.612] CloseHandle (hObject=0x200) returned 1 [0084.612] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.protected") returned 165 [0084.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.protected")) returned 1 [0084.613] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.613] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.613] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.613] lstrlenA (lpString="EMPTY") returned 5 [0084.613] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.614] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.614] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.614] CloseHandle (hObject=0x1fc) returned 1 [0084.614] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.614] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0084.614] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0084.614] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0084.614] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0084.614] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0084.614] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he") returned 141 [0084.614] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0084.614] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0084.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*") returned 143 [0084.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\.") returned 143 [0084.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.614] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\..") returned 144 [0084.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.615] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.615] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.615] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.615] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.615] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.615] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.615] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.615] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.615] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.615] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.615] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.615] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0084.615] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.615] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.616] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.616] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.616] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.616] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.616] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.616] CloseHandle (hObject=0x200) returned 1 [0084.616] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.protected") returned 165 [0084.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.protected")) returned 1 [0084.617] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.617] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.617] lstrlenA (lpString="EMPTY") returned 5 [0084.617] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.618] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.618] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.618] CloseHandle (hObject=0x1fc) returned 1 [0084.618] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.618] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0084.618] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0084.618] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0084.618] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0084.618] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0084.618] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi") returned 141 [0084.618] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0084.618] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0084.618] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*") returned 143 [0084.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.618] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.618] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.618] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.618] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.618] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.618] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\.") returned 143 [0084.618] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.618] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.618] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.618] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.619] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.619] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.619] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.619] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\..") returned 144 [0084.619] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.619] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.619] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.619] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.619] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.619] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.619] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.619] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.619] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.619] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.619] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.619] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.619] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.620] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.620] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0084.620] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.620] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x117, lpOverlapped=0x0) returned 1 [0084.621] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.621] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x117, lpOverlapped=0x0) returned 1 [0084.621] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.621] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.621] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.621] CloseHandle (hObject=0x200) returned 1 [0084.621] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.protected") returned 165 [0084.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.protected")) returned 1 [0084.621] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.621] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.622] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.622] lstrlenA (lpString="EMPTY") returned 5 [0084.622] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.622] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.622] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.623] CloseHandle (hObject=0x1fc) returned 1 [0084.623] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.623] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0084.623] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0084.623] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0084.623] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0084.623] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0084.623] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu") returned 141 [0084.623] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0084.623] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0084.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*") returned 143 [0084.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\.") returned 143 [0084.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.624] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.624] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.624] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.624] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.624] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.624] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\..") returned 144 [0084.624] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.624] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.624] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.624] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.624] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.624] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.624] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.624] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.624] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.624] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.624] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.624] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0084.624] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.624] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xeb, lpOverlapped=0x0) returned 1 [0084.625] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.625] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xeb, lpOverlapped=0x0) returned 1 [0084.625] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.625] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.625] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.625] CloseHandle (hObject=0x200) returned 1 [0084.625] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.protected") returned 165 [0084.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.protected")) returned 1 [0084.626] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.626] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.626] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.626] lstrlenA (lpString="EMPTY") returned 5 [0084.626] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.627] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.627] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.627] CloseHandle (hObject=0x1fc) returned 1 [0084.627] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.627] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0084.627] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0084.627] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0084.627] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0084.627] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0084.627] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id") returned 141 [0084.627] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0084.627] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0084.628] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*") returned 143 [0084.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.628] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.628] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.628] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.628] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.628] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.628] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\.") returned 143 [0084.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.628] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.628] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.628] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.628] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.628] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\..") returned 144 [0084.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.628] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.628] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.628] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.628] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.628] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.628] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.628] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.628] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.628] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.628] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.628] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.629] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.629] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.629] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.629] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.629] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0084.629] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.629] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0084.630] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.630] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0084.630] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.630] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.630] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.631] CloseHandle (hObject=0x200) returned 1 [0084.631] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.protected") returned 165 [0084.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.protected")) returned 1 [0084.631] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.631] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.631] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.632] lstrlenA (lpString="EMPTY") returned 5 [0084.632] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.632] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.632] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.632] CloseHandle (hObject=0x1fc) returned 1 [0084.632] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.632] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0084.633] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0084.633] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0084.633] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0084.633] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0084.633] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it") returned 141 [0084.633] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0084.633] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0084.633] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*") returned 143 [0084.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.633] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.633] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.633] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.633] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.633] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.633] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\.") returned 143 [0084.633] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.633] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.633] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.633] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.633] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.633] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.633] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.633] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\..") returned 144 [0084.633] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.633] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.633] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.633] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.633] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.633] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.633] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.633] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.633] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.633] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.634] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.634] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.634] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.634] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.634] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0084.634] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.634] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0084.635] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.635] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0084.635] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.635] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.635] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.635] CloseHandle (hObject=0x200) returned 1 [0084.635] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.protected") returned 165 [0084.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.protected")) returned 1 [0084.636] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.636] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.636] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.636] lstrlenA (lpString="EMPTY") returned 5 [0084.636] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.637] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.637] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.637] CloseHandle (hObject=0x1fc) returned 1 [0084.637] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.637] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0084.637] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0084.637] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0084.637] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0084.637] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0084.637] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja") returned 141 [0084.637] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0084.637] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0084.637] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*") returned 143 [0084.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.638] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.638] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.638] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.638] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.638] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.638] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\.") returned 143 [0084.638] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.638] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.638] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.638] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.638] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.638] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.638] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.638] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\..") returned 144 [0084.638] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.638] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.638] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.638] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.638] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.638] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.638] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.638] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.638] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.638] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.638] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.638] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.638] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.639] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.639] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.639] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.639] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.639] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0084.639] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.639] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.640] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.640] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.640] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.640] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.641] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.641] CloseHandle (hObject=0x200) returned 1 [0084.641] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.protected") returned 165 [0084.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.protected")) returned 1 [0084.641] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.641] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.641] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.642] lstrlenA (lpString="EMPTY") returned 5 [0084.642] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.642] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.642] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.643] CloseHandle (hObject=0x1fc) returned 1 [0084.643] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.643] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0084.643] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0084.643] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0084.643] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0084.643] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0084.643] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko") returned 141 [0084.643] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0084.643] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0084.643] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*") returned 143 [0084.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.643] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.643] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.643] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.643] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.643] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.643] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\.") returned 143 [0084.643] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.643] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.643] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.643] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.643] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.643] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.643] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.643] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\..") returned 144 [0084.643] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.643] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.643] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.643] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.644] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.644] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.644] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.644] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.644] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.644] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.644] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.644] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.644] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.644] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.644] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.644] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.644] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.644] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0084.644] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.644] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0084.645] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.645] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0084.645] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.645] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.645] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.645] CloseHandle (hObject=0x200) returned 1 [0084.645] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.protected") returned 165 [0084.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.protected")) returned 1 [0084.646] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.646] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.646] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.646] lstrlenA (lpString="EMPTY") returned 5 [0084.646] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.647] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.647] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.647] CloseHandle (hObject=0x1fc) returned 1 [0084.647] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.647] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0084.647] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0084.647] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0084.647] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0084.647] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0084.648] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt") returned 141 [0084.648] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0084.648] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0084.648] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*") returned 143 [0084.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.648] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.648] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.648] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.648] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.648] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.648] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\.") returned 143 [0084.648] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.648] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.648] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.648] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.648] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\..") returned 144 [0084.648] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.648] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.648] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.648] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.648] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.648] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.648] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.648] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.648] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.649] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.649] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.649] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.649] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.649] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.649] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0084.650] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.650] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe4, lpOverlapped=0x0) returned 1 [0084.650] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.650] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe4, lpOverlapped=0x0) returned 1 [0084.650] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.650] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.651] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.651] CloseHandle (hObject=0x200) returned 1 [0084.651] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.protected") returned 165 [0084.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.protected")) returned 1 [0084.651] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.651] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.651] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.652] lstrlenA (lpString="EMPTY") returned 5 [0084.652] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.652] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.652] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.652] CloseHandle (hObject=0x1fc) returned 1 [0084.652] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.652] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0084.652] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0084.652] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0084.652] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0084.653] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0084.653] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv") returned 141 [0084.653] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0084.653] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0084.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*") returned 143 [0084.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.653] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.653] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.653] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.653] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.653] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\.") returned 143 [0084.653] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.653] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.653] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.653] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.653] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.653] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.653] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\..") returned 144 [0084.653] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.653] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.653] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.653] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.653] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.653] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.653] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.653] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.653] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.653] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.653] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.653] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.654] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.654] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0084.654] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.654] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0084.655] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.655] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0084.655] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.655] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.655] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.655] CloseHandle (hObject=0x200) returned 1 [0084.655] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.protected") returned 165 [0084.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.protected")) returned 1 [0084.656] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.656] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.656] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.656] lstrlenA (lpString="EMPTY") returned 5 [0084.656] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.657] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.657] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.657] CloseHandle (hObject=0x1fc) returned 1 [0084.657] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.657] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0084.657] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0084.657] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0084.657] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0084.657] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0084.657] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms") returned 141 [0084.657] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0084.657] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0084.657] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*") returned 143 [0084.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.657] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.657] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.657] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.657] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.657] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.658] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\.") returned 143 [0084.658] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.658] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.658] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.658] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.658] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.658] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.658] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.658] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\..") returned 144 [0084.658] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.658] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.658] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.658] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.658] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.658] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.658] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.658] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.658] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.658] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.658] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.658] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.659] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.659] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0084.659] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.660] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0084.660] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.660] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0084.660] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.660] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.661] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.661] CloseHandle (hObject=0x200) returned 1 [0084.661] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.protected") returned 165 [0084.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.protected")) returned 1 [0084.661] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.661] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.661] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.662] lstrlenA (lpString="EMPTY") returned 5 [0084.662] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.662] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.662] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.663] CloseHandle (hObject=0x1fc) returned 1 [0084.663] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.663] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0084.663] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0084.663] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0084.663] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0084.663] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0084.663] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl") returned 141 [0084.663] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0084.663] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0084.663] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*") returned 143 [0084.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.663] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.663] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.663] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.663] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.663] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.663] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\.") returned 143 [0084.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.663] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.663] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.663] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.663] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.663] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.663] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.663] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\..") returned 144 [0084.663] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.663] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.663] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.663] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.663] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.663] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.663] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.663] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.663] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.664] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.664] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.664] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.664] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.664] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.664] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0084.664] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.664] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.665] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.665] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0084.665] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.665] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.665] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.665] CloseHandle (hObject=0x200) returned 1 [0084.665] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.protected") returned 165 [0084.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.protected")) returned 1 [0084.666] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.666] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.666] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.666] lstrlenA (lpString="EMPTY") returned 5 [0084.666] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.667] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.667] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.667] CloseHandle (hObject=0x1fc) returned 1 [0084.667] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.667] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0084.667] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0084.667] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0084.667] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0084.667] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0084.667] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no") returned 141 [0084.667] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0084.667] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0084.667] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*") returned 143 [0084.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.667] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.667] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.667] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.668] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\.") returned 143 [0084.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.668] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.668] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.668] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.668] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.668] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.668] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.668] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\..") returned 144 [0084.668] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.668] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.668] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.668] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.668] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.668] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.668] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.668] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.668] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.668] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.668] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.668] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.668] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.669] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.669] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.669] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.669] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.669] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0084.669] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.669] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc3, lpOverlapped=0x0) returned 1 [0084.670] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.670] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc3, lpOverlapped=0x0) returned 1 [0084.670] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.670] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.671] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.671] CloseHandle (hObject=0x200) returned 1 [0084.671] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.protected") returned 165 [0084.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.protected")) returned 1 [0084.671] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.671] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.671] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.672] lstrlenA (lpString="EMPTY") returned 5 [0084.672] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.673] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.673] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.673] CloseHandle (hObject=0x1fc) returned 1 [0084.673] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.673] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0084.673] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0084.673] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0084.673] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0084.673] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0084.673] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl") returned 141 [0084.673] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0084.673] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0084.673] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*") returned 143 [0084.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.673] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.673] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.673] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.673] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.674] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.674] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\.") returned 143 [0084.674] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.674] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.674] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.674] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.674] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\..") returned 144 [0084.674] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.674] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.674] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.674] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.674] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.674] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.674] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.674] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.674] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.674] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.674] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.674] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.675] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.675] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0084.675] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.675] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0084.676] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.676] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0084.676] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.676] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.676] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.676] CloseHandle (hObject=0x200) returned 1 [0084.676] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.protected") returned 165 [0084.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.protected")) returned 1 [0084.677] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.677] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.677] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.677] lstrlenA (lpString="EMPTY") returned 5 [0084.677] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.678] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.678] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.678] CloseHandle (hObject=0x1fc) returned 1 [0084.678] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.678] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0084.678] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0084.678] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0084.678] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0084.678] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0084.678] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR") returned 144 [0084.678] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0084.678] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0084.678] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*") returned 146 [0084.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.679] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.679] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.679] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.679] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.679] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.679] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\.") returned 146 [0084.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.679] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.679] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.679] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.679] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.679] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.679] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.679] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\..") returned 147 [0084.679] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.679] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.679] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.679] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.679] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.679] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.679] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.679] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.679] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.679] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.679] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.679] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.680] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.680] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.680] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.680] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.680] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0084.680] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.680] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.681] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.681] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.681] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.681] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.681] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.681] CloseHandle (hObject=0x200) returned 1 [0084.681] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0084.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0084.682] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.682] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.682] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.682] lstrlenA (lpString="EMPTY") returned 5 [0084.682] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.683] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.683] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.683] CloseHandle (hObject=0x1fc) returned 1 [0084.683] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.683] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0084.683] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0084.683] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0084.683] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0084.683] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0084.683] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT") returned 144 [0084.683] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0084.683] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0084.683] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*") returned 146 [0084.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.683] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.683] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.683] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.683] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.683] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.683] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\.") returned 146 [0084.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.683] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.684] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\..") returned 147 [0084.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.684] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.684] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.684] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.684] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.684] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.684] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.684] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.684] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.684] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.684] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.684] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.684] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.684] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0084.684] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.684] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0084.685] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.685] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0084.685] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.685] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.685] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.686] CloseHandle (hObject=0x200) returned 1 [0084.686] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0084.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0084.686] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.686] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.686] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.686] lstrlenA (lpString="EMPTY") returned 5 [0084.686] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.687] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.687] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.687] CloseHandle (hObject=0x1fc) returned 1 [0084.687] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.687] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0084.687] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0084.687] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0084.687] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0084.687] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0084.687] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro") returned 141 [0084.688] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0084.688] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0084.688] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*") returned 143 [0084.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.688] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.688] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.688] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.688] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.688] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.688] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\.") returned 143 [0084.688] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.688] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.688] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.688] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.688] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.688] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.688] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.688] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\..") returned 144 [0084.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.688] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.688] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.688] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.688] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.688] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.688] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.688] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.688] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.688] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.688] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.688] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.689] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.689] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.689] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.689] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.689] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0084.689] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.689] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0084.690] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.690] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0084.690] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.690] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.690] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.690] CloseHandle (hObject=0x200) returned 1 [0084.690] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.protected") returned 165 [0084.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.protected")) returned 1 [0084.691] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.691] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.691] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.691] lstrlenA (lpString="EMPTY") returned 5 [0084.691] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.692] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.692] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.692] CloseHandle (hObject=0x1fc) returned 1 [0084.692] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.692] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0084.692] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0084.692] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0084.692] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0084.692] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0084.692] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru") returned 141 [0084.692] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0084.692] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0084.692] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*") returned 143 [0084.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.693] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.693] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.693] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.693] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.693] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.693] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\.") returned 143 [0084.693] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.693] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.693] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.693] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.693] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.693] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.693] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.693] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\..") returned 144 [0084.693] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.693] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.693] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.693] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.693] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.693] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.693] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.693] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.693] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.693] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.693] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.693] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.693] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.693] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.693] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.694] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0084.694] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.694] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10a, lpOverlapped=0x0) returned 1 [0084.694] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.694] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10a, lpOverlapped=0x0) returned 1 [0084.694] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.694] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.695] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.695] CloseHandle (hObject=0x200) returned 1 [0084.695] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.protected") returned 165 [0084.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.protected")) returned 1 [0084.696] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.696] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.696] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.696] lstrlenA (lpString="EMPTY") returned 5 [0084.696] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.697] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.697] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.697] CloseHandle (hObject=0x1fc) returned 1 [0084.697] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.697] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0084.697] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0084.697] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0084.697] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0084.697] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0084.697] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk") returned 141 [0084.698] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0084.698] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0084.698] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*") returned 143 [0084.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.698] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\.") returned 143 [0084.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.698] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.698] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\..") returned 144 [0084.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.698] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.698] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.698] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.698] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.698] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.698] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.698] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.698] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.698] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.698] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.699] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.699] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0084.699] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.699] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.700] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.700] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0084.700] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.700] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.701] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.701] CloseHandle (hObject=0x200) returned 1 [0084.701] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.protected") returned 165 [0084.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.protected")) returned 1 [0084.701] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.701] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.702] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.702] lstrlenA (lpString="EMPTY") returned 5 [0084.702] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.703] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.703] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.703] CloseHandle (hObject=0x1fc) returned 1 [0084.703] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.703] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0084.703] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0084.703] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0084.703] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0084.703] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0084.703] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl") returned 141 [0084.703] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0084.703] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0084.703] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*") returned 143 [0084.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.703] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.703] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.703] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.703] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.703] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.703] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\.") returned 143 [0084.703] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.703] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.703] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\..") returned 144 [0084.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.704] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.704] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.704] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.704] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.704] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.704] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.704] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.704] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.704] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.704] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0084.704] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.704] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0084.705] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.705] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0084.705] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.705] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.705] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.706] CloseHandle (hObject=0x200) returned 1 [0084.706] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.protected") returned 165 [0084.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.protected")) returned 1 [0084.706] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.706] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.706] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.707] lstrlenA (lpString="EMPTY") returned 5 [0084.707] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.708] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.708] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.708] CloseHandle (hObject=0x1fc) returned 1 [0084.708] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.708] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0084.708] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0084.708] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0084.708] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0084.708] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0084.708] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr") returned 141 [0084.708] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0084.708] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0084.708] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*") returned 143 [0084.708] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.708] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.708] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.708] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.708] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.708] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.708] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\.") returned 143 [0084.708] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.708] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.709] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.709] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.709] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.709] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.709] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.709] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\..") returned 144 [0084.709] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.709] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.709] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.709] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.709] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.709] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.709] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.709] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.709] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.709] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.709] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.709] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.709] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.710] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.710] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0084.710] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.710] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf8, lpOverlapped=0x0) returned 1 [0084.711] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.711] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf8, lpOverlapped=0x0) returned 1 [0084.711] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.711] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.711] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.711] CloseHandle (hObject=0x200) returned 1 [0084.711] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.protected") returned 165 [0084.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.protected")) returned 1 [0084.712] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.712] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.712] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.713] lstrlenA (lpString="EMPTY") returned 5 [0084.713] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.714] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.714] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.714] CloseHandle (hObject=0x1fc) returned 1 [0084.714] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.714] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0084.714] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0084.714] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0084.714] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0084.714] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0084.714] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv") returned 141 [0084.714] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0084.714] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0084.714] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*") returned 143 [0084.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.714] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.714] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.715] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.715] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\.") returned 143 [0084.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.715] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.715] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\..") returned 144 [0084.715] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.715] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.715] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.715] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.715] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.715] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.715] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.715] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.715] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.715] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.715] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.715] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.716] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.716] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0084.716] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.716] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd6, lpOverlapped=0x0) returned 1 [0084.717] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.717] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd6, lpOverlapped=0x0) returned 1 [0084.717] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.717] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.717] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.717] CloseHandle (hObject=0x200) returned 1 [0084.718] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.protected") returned 165 [0084.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.protected")) returned 1 [0084.718] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.718] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.718] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.719] lstrlenA (lpString="EMPTY") returned 5 [0084.719] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.719] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.719] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.719] CloseHandle (hObject=0x1fc) returned 1 [0084.719] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.720] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0084.720] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0084.720] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0084.720] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0084.720] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0084.720] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th") returned 141 [0084.720] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0084.720] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0084.720] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*") returned 143 [0084.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.720] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\.") returned 143 [0084.720] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.720] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.720] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.720] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\..") returned 144 [0084.720] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.720] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.720] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.720] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.721] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.721] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.721] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.721] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.721] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.721] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.721] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.721] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.722] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.722] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0084.722] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.722] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0084.723] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.723] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0084.723] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.723] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.723] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.724] CloseHandle (hObject=0x200) returned 1 [0084.724] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.protected") returned 165 [0084.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.protected")) returned 1 [0084.724] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.724] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.725] lstrlenA (lpString="EMPTY") returned 5 [0084.725] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.726] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.726] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.726] CloseHandle (hObject=0x1fc) returned 1 [0084.726] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.726] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0084.726] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0084.726] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0084.726] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0084.726] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0084.726] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr") returned 141 [0084.726] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0084.726] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0084.726] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*") returned 143 [0084.727] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.727] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.727] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.727] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.727] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.727] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.727] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\.") returned 143 [0084.727] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.727] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.727] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.727] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.727] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.727] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.727] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.727] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\..") returned 144 [0084.727] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.727] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.727] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.727] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.727] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.727] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.727] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.727] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.727] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.727] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.727] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.727] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.728] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.728] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.728] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.728] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.728] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0084.728] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.728] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0084.728] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.729] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0084.729] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.729] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.729] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.729] CloseHandle (hObject=0x200) returned 1 [0084.729] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.protected") returned 165 [0084.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.protected")) returned 1 [0084.729] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.730] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.730] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.730] lstrlenA (lpString="EMPTY") returned 5 [0084.730] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.731] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.731] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.731] CloseHandle (hObject=0x1fc) returned 1 [0084.731] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.731] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0084.731] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0084.731] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0084.731] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0084.731] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0084.731] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk") returned 141 [0084.731] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0084.731] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0084.731] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*") returned 143 [0084.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.731] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.731] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.731] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.731] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.731] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.731] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\.") returned 143 [0084.731] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.731] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.731] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.732] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.732] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.732] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.732] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.732] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\..") returned 144 [0084.732] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.732] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.732] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.732] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.732] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.732] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.732] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.732] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.732] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.732] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.732] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.733] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.733] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0084.733] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.733] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0084.734] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.734] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0084.734] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.734] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.734] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.734] CloseHandle (hObject=0x200) returned 1 [0084.734] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.protected") returned 165 [0084.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.protected")) returned 1 [0084.734] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.735] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.735] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.735] lstrlenA (lpString="EMPTY") returned 5 [0084.735] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.735] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.735] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.736] CloseHandle (hObject=0x1fc) returned 1 [0084.736] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.736] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0084.736] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0084.736] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0084.736] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0084.736] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0084.736] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi") returned 141 [0084.736] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0084.736] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0084.736] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*") returned 143 [0084.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.736] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.736] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.736] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.736] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.736] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.736] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\.") returned 143 [0084.736] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.736] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.736] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.736] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.736] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.736] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.736] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.736] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\..") returned 144 [0084.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.736] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.736] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.736] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.736] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.737] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.737] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.737] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.737] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.737] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.737] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.737] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.737] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.737] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.737] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.737] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0084.737] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.737] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe1, lpOverlapped=0x0) returned 1 [0084.738] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.738] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe1, lpOverlapped=0x0) returned 1 [0084.738] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.738] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.738] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.738] CloseHandle (hObject=0x200) returned 1 [0084.738] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.protected") returned 165 [0084.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.protected")) returned 1 [0084.739] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.739] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.739] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0084.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.739] lstrlenA (lpString="EMPTY") returned 5 [0084.739] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.739] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.739] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.740] CloseHandle (hObject=0x1fc) returned 1 [0084.740] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.740] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0084.740] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0084.740] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0084.740] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0084.740] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0084.740] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN") returned 144 [0084.740] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0084.740] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0084.740] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*") returned 146 [0084.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.740] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.740] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.740] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.740] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.740] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.740] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\.") returned 146 [0084.740] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.740] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.740] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.740] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.740] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.740] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.741] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\..") returned 147 [0084.741] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.741] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.741] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.741] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.741] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.741] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.741] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.741] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.741] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.741] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.741] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.741] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.741] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.741] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.741] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0084.741] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.741] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.742] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.742] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.742] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.742] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.742] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.742] CloseHandle (hObject=0x200) returned 1 [0084.742] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0084.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0084.743] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.743] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.743] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.743] lstrlenA (lpString="EMPTY") returned 5 [0084.743] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.744] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.744] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.744] CloseHandle (hObject=0x1fc) returned 1 [0084.744] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.744] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0084.744] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0084.744] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0084.744] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0084.744] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0084.744] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW") returned 144 [0084.744] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0084.744] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0084.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*") returned 146 [0084.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.745] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.745] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\.") returned 146 [0084.745] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.745] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.745] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.745] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.745] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.745] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.745] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\..") returned 147 [0084.745] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.745] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.745] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.745] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.745] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.745] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.745] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.745] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.745] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.745] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.745] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.745] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.745] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0084.745] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.745] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.746] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.746] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xce, lpOverlapped=0x0) returned 1 [0084.746] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.746] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0084.746] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0084.746] CloseHandle (hObject=0x200) returned 1 [0084.746] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0084.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0084.747] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0084.747] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0084.747] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0084.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.747] lstrlenA (lpString="EMPTY") returned 5 [0084.747] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0084.748] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.748] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.748] CloseHandle (hObject=0x1fc) returned 1 [0084.748] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0084.748] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0084.748] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0084.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.749] lstrlenA (lpString="EMPTY") returned 5 [0084.749] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0084.750] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.750] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0084.750] CloseHandle (hObject=0x1f8) returned 1 [0084.750] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.750] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0084.750] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0084.750] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0084.750] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0084.750] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0084.750] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata") returned 139 [0084.750] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0084.750] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0084.750] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*") returned 141 [0084.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0084.750] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.750] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.750] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.750] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.750] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.750] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\.") returned 141 [0084.750] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.750] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.750] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.750] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.750] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.751] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.751] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.751] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\..") returned 142 [0084.751] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.751] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.751] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0084.751] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0084.751] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0084.751] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0084.751] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0084.751] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.751] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0084.751] lstrcmpW (lpString1="computed_hashes.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0084.751] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0084.751] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0084.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.752] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.752] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0084.752] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.752] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0084.752] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0084.752] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0084.752] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x160, lpOverlapped=0x0) returned 1 [0084.753] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.753] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x160, lpOverlapped=0x0) returned 1 [0084.753] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.753] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0084.753] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0084.753] CloseHandle (hObject=0x1fc) returned 1 [0084.753] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.protected") returned 170 [0084.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0084.754] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.754] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0084.754] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0084.754] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0084.754] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0084.754] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0084.754] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.754] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0084.754] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.754] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0084.754] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0084.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0084.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.755] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0084.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.755] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0084.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0084.755] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0084.755] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0084.757] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.757] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0084.757] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.757] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0084.757] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0084.758] CloseHandle (hObject=0x1fc) returned 1 [0084.758] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.protected") returned 172 [0084.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.protected")) returned 1 [0084.759] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0084.759] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0084.759] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 169 [0084.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.807] lstrlenA (lpString="EMPTY") returned 5 [0084.807] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0084.807] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.807] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0084.808] CloseHandle (hObject=0x1f8) returned 1 [0084.808] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0084.808] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0084.809] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 159 [0084.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0084.809] lstrlenA (lpString="EMPTY") returned 5 [0084.809] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0084.810] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.810] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0084.810] CloseHandle (hObject=0x1f4) returned 1 [0084.810] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0084.810] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0084.810] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0084.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0084.811] lstrlenA (lpString="EMPTY") returned 5 [0084.811] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0084.812] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0084.812] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0084.812] CloseHandle (hObject=0x1f0) returned 1 [0084.812] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0084.812] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Windows") returned -1 [0084.812] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Program Files") returned -1 [0084.812] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="Program Files (x86)") returned -1 [0084.812] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="$Recycle.bin") returned 1 [0084.812] lstrcmpiW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="System Volume Information") returned -1 [0084.812] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf") returned 123 [0084.812] lstrcmpW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2=".") returned 1 [0084.812] lstrcmpW (lpString1="apdfllckaahabafndbhieahigkjlhalf", lpString2="..") returned 1 [0084.812] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*") returned 125 [0084.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0084.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.812] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\.") returned 125 [0084.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.812] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0084.813] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.813] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.813] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.813] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.813] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.813] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\..") returned 126 [0084.813] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.813] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.813] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0084.813] lstrcmpiW (lpString1="14.1_0", lpString2="Windows") returned -1 [0084.813] lstrcmpiW (lpString1="14.1_0", lpString2="Program Files") returned -1 [0084.813] lstrcmpiW (lpString1="14.1_0", lpString2="Program Files (x86)") returned -1 [0084.813] lstrcmpiW (lpString1="14.1_0", lpString2="$Recycle.bin") returned 1 [0084.813] lstrcmpiW (lpString1="14.1_0", lpString2="System Volume Information") returned -1 [0084.813] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0") returned 130 [0084.813] lstrcmpW (lpString1="14.1_0", lpString2=".") returned 1 [0084.813] lstrcmpW (lpString1="14.1_0", lpString2="..") returned 1 [0084.813] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*") returned 132 [0084.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0084.898] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.898] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.898] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.898] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.898] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.898] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\.") returned 132 [0084.898] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.898] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.898] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.898] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.898] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.898] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.898] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.898] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\..") returned 133 [0084.898] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.898] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.898] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.898] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0084.898] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0084.898] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0084.898] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0084.898] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0084.899] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0084.899] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0084.899] lstrcmpW (lpString1="128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0084.899] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.899] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.900] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0084.900] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0084.900] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0084.900] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0084.900] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0084.900] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0084.900] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x1a33, lpOverlapped=0x0) returned 1 [0084.943] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffe5cd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.944] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x1a33, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x1a33, lpOverlapped=0x0) returned 1 [0084.944] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.944] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.944] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.944] CloseHandle (hObject=0x1f8) returned 1 [0084.945] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.protected") returned 148 [0084.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.protected")) returned 1 [0084.946] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.946] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0084.946] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0084.946] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0084.946] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0084.946] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0084.946] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0084.946] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0084.946] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.946] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0084.946] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0084.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0084.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0084.946] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0084.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0084.946] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0084.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0084.947] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0084.947] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x3ec, lpOverlapped=0x0) returned 1 [0084.959] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffc14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.959] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x3ec, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x3ec, lpOverlapped=0x0) returned 1 [0084.960] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.960] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0084.960] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0084.960] CloseHandle (hObject=0x1f8) returned 1 [0084.961] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.protected") returned 154 [0084.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.protected")) returned 1 [0084.962] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0084.962] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0084.962] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0084.962] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0084.962] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0084.962] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0084.962] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales") returned 139 [0084.962] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0084.962] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0084.962] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*") returned 141 [0084.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0084.975] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.975] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.975] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.975] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.975] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.975] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\.") returned 141 [0084.975] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.975] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.975] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.975] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.976] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.976] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.976] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.976] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\..") returned 142 [0084.976] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.976] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.976] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0084.976] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0084.976] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0084.976] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0084.976] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0084.976] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0084.976] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar") returned 142 [0084.976] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0084.976] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0084.976] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*") returned 144 [0084.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0084.976] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.976] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.976] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.976] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.976] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.977] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\.") returned 144 [0084.977] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.977] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.977] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.977] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.977] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.977] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.977] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.977] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\..") returned 145 [0084.977] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.977] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.977] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0084.977] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0084.977] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0084.977] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0084.977] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0084.977] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0084.977] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0084.977] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0084.977] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0084.977] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0084.977] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0084.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0084.998] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0084.998] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0084.999] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0084.999] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0084.999] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0084.999] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0084.999] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x116, lpOverlapped=0x0) returned 1 [0084.999] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.999] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x116, lpOverlapped=0x0) returned 1 [0085.000] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.000] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.000] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.000] CloseHandle (hObject=0x200) returned 1 [0085.000] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.protected") returned 166 [0085.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.protected")) returned 1 [0085.001] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.001] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.001] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.001] lstrlenA (lpString="EMPTY") returned 5 [0085.001] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.002] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.002] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.002] CloseHandle (hObject=0x1fc) returned 1 [0085.002] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.002] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0085.002] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0085.002] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0085.002] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0085.002] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0085.002] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg") returned 142 [0085.002] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0085.002] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0085.002] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*") returned 144 [0085.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.003] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.003] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\.") returned 144 [0085.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.003] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.003] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.003] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.003] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.003] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\..") returned 145 [0085.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.003] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.003] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.003] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.003] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.003] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.003] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0085.003] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.003] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.003] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.003] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0085.004] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0085.004] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0085.004] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.004] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x13f, lpOverlapped=0x0) returned 1 [0085.005] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffec1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.005] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x13f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x13f, lpOverlapped=0x0) returned 1 [0085.005] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.005] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.005] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.005] CloseHandle (hObject=0x200) returned 1 [0085.005] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.protected") returned 166 [0085.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.protected")) returned 1 [0085.006] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.006] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.006] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.006] lstrlenA (lpString="EMPTY") returned 5 [0085.006] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.007] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.007] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.007] CloseHandle (hObject=0x1fc) returned 1 [0085.007] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.007] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0085.007] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0085.007] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0085.007] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0085.007] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0085.007] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca") returned 142 [0085.007] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0085.007] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0085.007] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*") returned 144 [0085.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.008] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.008] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.008] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\.") returned 144 [0085.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.008] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.008] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.008] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.008] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.008] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.008] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.008] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\..") returned 145 [0085.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.008] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.008] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.008] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.008] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.008] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.008] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.008] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0085.008] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.008] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.008] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.008] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0085.009] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0085.009] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0085.009] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.009] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x109, lpOverlapped=0x0) returned 1 [0085.010] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.010] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x109, lpOverlapped=0x0) returned 1 [0085.010] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.010] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.010] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.010] CloseHandle (hObject=0x200) returned 1 [0085.010] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.protected") returned 166 [0085.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.protected")) returned 1 [0085.011] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.011] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.011] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.011] lstrlenA (lpString="EMPTY") returned 5 [0085.011] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.012] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.012] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.012] CloseHandle (hObject=0x1fc) returned 1 [0085.012] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.012] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0085.012] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0085.012] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0085.012] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0085.012] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0085.012] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs") returned 142 [0085.012] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0085.012] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0085.013] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*") returned 144 [0085.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.013] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.013] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.013] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.013] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.013] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.013] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\.") returned 144 [0085.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.013] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.013] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.013] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.013] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.013] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.013] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.013] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\..") returned 145 [0085.013] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.013] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.013] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.013] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.013] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.013] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.013] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.013] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0085.013] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.013] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.013] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.013] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0085.014] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0085.014] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0085.014] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.014] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0085.015] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.015] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0085.015] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.015] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.015] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.015] CloseHandle (hObject=0x200) returned 1 [0085.015] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.protected") returned 166 [0085.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.protected")) returned 1 [0085.016] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.016] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.016] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.016] lstrlenA (lpString="EMPTY") returned 5 [0085.016] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.017] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.017] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.017] CloseHandle (hObject=0x1fc) returned 1 [0085.017] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.017] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0085.017] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0085.017] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0085.017] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0085.017] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0085.017] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da") returned 142 [0085.017] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0085.017] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0085.017] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*") returned 144 [0085.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.017] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.017] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.017] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.017] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.017] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.017] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\.") returned 144 [0085.017] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.017] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.018] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.018] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.018] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\..") returned 145 [0085.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.018] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.018] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.018] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.018] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.018] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.018] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.018] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0085.018] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.018] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.018] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.018] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0085.019] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0085.019] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0085.019] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.019] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf3, lpOverlapped=0x0) returned 1 [0085.020] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.020] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf3, lpOverlapped=0x0) returned 1 [0085.020] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.020] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.020] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.020] CloseHandle (hObject=0x200) returned 1 [0085.020] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.protected") returned 166 [0085.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.protected")) returned 1 [0085.021] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.021] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.021] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.021] lstrlenA (lpString="EMPTY") returned 5 [0085.021] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.022] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.022] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.022] CloseHandle (hObject=0x1fc) returned 1 [0085.022] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.022] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0085.022] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0085.022] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0085.022] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0085.022] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0085.022] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de") returned 142 [0085.022] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0085.022] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0085.022] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*") returned 144 [0085.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.023] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.023] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.023] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.023] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.023] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.023] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\.") returned 144 [0085.023] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.023] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.023] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.023] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.023] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.023] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.023] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.023] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\..") returned 145 [0085.023] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.023] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.023] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.023] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.023] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.023] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.023] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.023] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.023] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0085.023] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.023] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.023] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.023] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0085.024] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0085.024] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0085.024] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.024] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0085.025] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.025] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0085.025] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.025] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.025] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.025] CloseHandle (hObject=0x200) returned 1 [0085.025] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.protected") returned 166 [0085.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.protected")) returned 1 [0085.025] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.026] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.026] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.026] lstrlenA (lpString="EMPTY") returned 5 [0085.026] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.027] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.027] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.027] CloseHandle (hObject=0x1fc) returned 1 [0085.027] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.027] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0085.027] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0085.027] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0085.027] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0085.027] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0085.027] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el") returned 142 [0085.027] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0085.027] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0085.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*") returned 144 [0085.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.027] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.027] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.027] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.027] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.027] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\.") returned 144 [0085.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.027] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.027] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.027] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.027] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.027] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.027] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\..") returned 145 [0085.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.027] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.028] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.028] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.028] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.028] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.028] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.028] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0085.028] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.028] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.028] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.028] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0085.029] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0085.029] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0085.029] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.029] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x149, lpOverlapped=0x0) returned 1 [0085.030] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.030] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x149, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x149, lpOverlapped=0x0) returned 1 [0085.030] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.030] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.030] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.030] CloseHandle (hObject=0x200) returned 1 [0085.030] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.protected") returned 166 [0085.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.protected")) returned 1 [0085.032] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.032] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.032] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.033] lstrlenA (lpString="EMPTY") returned 5 [0085.033] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.033] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.033] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.033] CloseHandle (hObject=0x1fc) returned 1 [0085.033] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.033] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0085.034] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0085.034] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0085.034] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0085.034] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0085.034] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB") returned 145 [0085.034] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0085.034] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0085.034] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*") returned 147 [0085.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.034] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.034] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.034] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.034] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\.") returned 147 [0085.034] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.034] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.034] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.034] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.034] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.034] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.034] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.034] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\..") returned 148 [0085.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.034] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.034] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.034] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.034] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.034] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.034] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.034] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0085.034] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.034] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.034] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.035] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0085.035] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0085.035] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0085.035] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.035] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0085.036] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.036] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0085.036] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.036] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.036] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.036] CloseHandle (hObject=0x200) returned 1 [0085.036] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json.protected") returned 169 [0085.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0085.037] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.037] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.037] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.037] lstrlenA (lpString="EMPTY") returned 5 [0085.037] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.037] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.038] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.038] CloseHandle (hObject=0x1fc) returned 1 [0085.038] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.038] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0085.038] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0085.038] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0085.038] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0085.038] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0085.038] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US") returned 145 [0085.038] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0085.038] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0085.038] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*") returned 147 [0085.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.038] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.038] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.038] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.038] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.038] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.038] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\.") returned 147 [0085.038] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.038] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.038] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.038] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.038] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.038] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.038] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.038] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\..") returned 148 [0085.038] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.039] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.039] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.039] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.039] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.039] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.039] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.039] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.039] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0085.039] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.039] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.039] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.039] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0085.039] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0085.040] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0085.040] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.040] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0085.040] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.040] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0085.040] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.041] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.041] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.041] CloseHandle (hObject=0x200) returned 1 [0085.041] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json.protected") returned 169 [0085.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0085.041] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.041] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.041] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.042] lstrlenA (lpString="EMPTY") returned 5 [0085.042] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.042] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.042] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.042] CloseHandle (hObject=0x1fc) returned 1 [0085.042] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.042] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0085.043] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0085.043] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0085.043] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0085.043] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0085.043] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es") returned 142 [0085.043] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0085.043] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0085.043] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*") returned 144 [0085.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.043] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.043] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.043] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.043] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.043] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.043] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\.") returned 144 [0085.043] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.043] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.043] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.043] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.043] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.043] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.043] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.043] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\..") returned 145 [0085.043] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.043] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.043] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.043] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.043] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.043] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.043] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.043] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0085.043] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.043] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.043] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.043] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0085.044] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0085.044] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0085.044] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.044] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0085.045] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.045] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0085.045] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.045] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.045] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.045] CloseHandle (hObject=0x200) returned 1 [0085.045] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.protected") returned 166 [0085.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.protected")) returned 1 [0085.046] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.046] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.046] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.046] lstrlenA (lpString="EMPTY") returned 5 [0085.046] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.047] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.047] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.047] CloseHandle (hObject=0x1fc) returned 1 [0085.047] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.047] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0085.047] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0085.047] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0085.047] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0085.047] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0085.047] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419") returned 146 [0085.047] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0085.047] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0085.047] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*") returned 148 [0085.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\.") returned 148 [0085.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.048] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.048] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.048] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.048] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.048] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\..") returned 149 [0085.048] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.048] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.048] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.048] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.048] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.048] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.048] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.048] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0085.048] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.048] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.048] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.049] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0085.050] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0085.050] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0085.050] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.050] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0085.051] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.051] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0085.051] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.051] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.051] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.051] CloseHandle (hObject=0x200) returned 1 [0085.051] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.protected") returned 170 [0085.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0085.052] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.052] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.052] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 176 [0085.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.052] lstrlenA (lpString="EMPTY") returned 5 [0085.052] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.053] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.053] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.053] CloseHandle (hObject=0x1fc) returned 1 [0085.053] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.053] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0085.053] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0085.053] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0085.053] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0085.053] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0085.053] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et") returned 142 [0085.053] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0085.053] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0085.054] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*") returned 144 [0085.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.054] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.054] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.054] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.054] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.054] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.054] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\.") returned 144 [0085.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.054] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.054] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.054] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.054] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.054] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.054] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.054] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\..") returned 145 [0085.054] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.054] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.054] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.054] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.054] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.054] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.054] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.054] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0085.054] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.054] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.054] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.054] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0085.055] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0085.055] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0085.055] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.055] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfb, lpOverlapped=0x0) returned 1 [0085.055] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.056] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfb, lpOverlapped=0x0) returned 1 [0085.056] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.056] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.056] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.056] CloseHandle (hObject=0x200) returned 1 [0085.056] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.protected") returned 166 [0085.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.protected")) returned 1 [0085.057] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.057] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.057] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.057] lstrlenA (lpString="EMPTY") returned 5 [0085.057] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.058] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.058] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.058] CloseHandle (hObject=0x1fc) returned 1 [0085.058] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.058] lstrcmpiW (lpString1="eu", lpString2="Windows") returned -1 [0085.058] lstrcmpiW (lpString1="eu", lpString2="Program Files") returned -1 [0085.058] lstrcmpiW (lpString1="eu", lpString2="Program Files (x86)") returned -1 [0085.058] lstrcmpiW (lpString1="eu", lpString2="$Recycle.bin") returned 1 [0085.058] lstrcmpiW (lpString1="eu", lpString2="System Volume Information") returned -1 [0085.058] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu") returned 142 [0085.058] lstrcmpW (lpString1="eu", lpString2=".") returned 1 [0085.058] lstrcmpW (lpString1="eu", lpString2="..") returned 1 [0085.058] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*") returned 144 [0085.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.058] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.058] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.059] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\.") returned 144 [0085.059] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.059] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.059] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.059] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.059] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.059] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.059] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.059] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\..") returned 145 [0085.059] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.059] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.059] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.059] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.059] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.059] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.059] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.059] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.059] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0085.059] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.059] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.059] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.059] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0085.093] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0085.093] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0085.093] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.094] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf3, lpOverlapped=0x0) returned 1 [0085.094] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.094] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf3, lpOverlapped=0x0) returned 1 [0085.095] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.095] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.095] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.095] CloseHandle (hObject=0x200) returned 1 [0085.095] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.protected") returned 166 [0085.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.protected")) returned 1 [0085.096] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.096] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.096] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.096] lstrlenA (lpString="EMPTY") returned 5 [0085.096] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.097] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.097] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.097] CloseHandle (hObject=0x1fc) returned 1 [0085.097] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.097] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0085.097] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0085.097] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0085.097] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0085.097] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0085.097] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi") returned 142 [0085.098] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0085.098] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0085.098] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*") returned 144 [0085.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.098] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.098] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\.") returned 144 [0085.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.098] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.098] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\..") returned 145 [0085.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.098] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.098] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.098] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.098] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.098] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.098] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.098] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0085.099] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.099] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.099] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.099] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0085.099] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0085.099] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0085.099] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.099] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x101, lpOverlapped=0x0) returned 1 [0085.100] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.100] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x101, lpOverlapped=0x0) returned 1 [0085.100] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.100] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.100] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.100] CloseHandle (hObject=0x200) returned 1 [0085.101] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.protected") returned 166 [0085.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.protected")) returned 1 [0085.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.101] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.102] lstrlenA (lpString="EMPTY") returned 5 [0085.102] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.102] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.102] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.103] CloseHandle (hObject=0x1fc) returned 1 [0085.103] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.103] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0085.103] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0085.103] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0085.103] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0085.103] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0085.103] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil") returned 143 [0085.103] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0085.103] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0085.103] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*") returned 145 [0085.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.103] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.103] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.103] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.103] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.103] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.103] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\.") returned 145 [0085.103] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.103] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.103] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.104] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.104] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.104] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.104] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\..") returned 146 [0085.104] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.104] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.104] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.104] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0085.104] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.104] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.104] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.104] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0085.119] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0085.119] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0085.119] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.119] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0085.120] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.120] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0085.120] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.120] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.120] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.120] CloseHandle (hObject=0x200) returned 1 [0085.121] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.protected") returned 167 [0085.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.protected")) returned 1 [0085.121] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.121] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.121] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.122] lstrlenA (lpString="EMPTY") returned 5 [0085.122] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.123] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.123] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.123] CloseHandle (hObject=0x1fc) returned 1 [0085.123] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.123] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0085.123] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0085.123] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0085.123] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0085.123] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0085.123] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr") returned 142 [0085.123] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0085.123] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0085.123] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*") returned 144 [0085.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.123] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.123] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.123] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.123] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.124] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.124] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\.") returned 144 [0085.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.124] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.124] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.124] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\..") returned 145 [0085.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.124] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.124] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.124] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.124] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.124] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.124] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.124] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0085.124] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.124] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.124] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.124] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0085.125] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0085.125] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0085.125] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.125] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfc, lpOverlapped=0x0) returned 1 [0085.126] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.126] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfc, lpOverlapped=0x0) returned 1 [0085.126] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.126] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.126] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.126] CloseHandle (hObject=0x200) returned 1 [0085.126] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.protected") returned 166 [0085.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.protected")) returned 1 [0085.127] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.127] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.127] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.127] lstrlenA (lpString="EMPTY") returned 5 [0085.127] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.128] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.128] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.128] CloseHandle (hObject=0x1fc) returned 1 [0085.128] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.128] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0085.128] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0085.128] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0085.128] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0085.128] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0085.128] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he") returned 142 [0085.128] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0085.128] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0085.128] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*") returned 144 [0085.128] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.129] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.129] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.129] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.129] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.129] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.129] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\.") returned 144 [0085.129] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.129] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.129] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.129] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.129] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.129] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.129] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.129] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\..") returned 145 [0085.129] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.129] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.129] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.129] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.129] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.129] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.129] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.129] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0085.129] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.129] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.129] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.130] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0085.131] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0085.131] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0085.131] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.131] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x116, lpOverlapped=0x0) returned 1 [0085.132] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.132] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x116, lpOverlapped=0x0) returned 1 [0085.132] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.132] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.132] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.133] CloseHandle (hObject=0x200) returned 1 [0085.133] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.protected") returned 166 [0085.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.protected")) returned 1 [0085.133] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.133] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.133] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.134] lstrlenA (lpString="EMPTY") returned 5 [0085.134] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.135] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.135] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.135] CloseHandle (hObject=0x1fc) returned 1 [0085.135] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.135] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0085.135] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0085.135] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0085.135] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0085.135] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0085.135] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi") returned 142 [0085.135] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0085.135] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0085.135] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*") returned 144 [0085.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.136] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.136] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.136] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\.") returned 144 [0085.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.136] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.136] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.136] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.136] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\..") returned 145 [0085.136] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.136] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.136] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.136] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.136] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.136] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0085.136] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.136] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.136] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.136] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0085.137] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0085.137] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0085.137] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.137] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x159, lpOverlapped=0x0) returned 1 [0085.138] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffea7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.138] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x159, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x159, lpOverlapped=0x0) returned 1 [0085.138] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.138] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.138] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.138] CloseHandle (hObject=0x200) returned 1 [0085.138] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.protected") returned 166 [0085.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.protected")) returned 1 [0085.139] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.139] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.139] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.140] lstrlenA (lpString="EMPTY") returned 5 [0085.140] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.141] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.141] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.141] CloseHandle (hObject=0x1fc) returned 1 [0085.141] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.141] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0085.141] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0085.141] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0085.141] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0085.141] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0085.141] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr") returned 142 [0085.141] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0085.141] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0085.141] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*") returned 144 [0085.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.142] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.142] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.142] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\.") returned 144 [0085.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.142] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.142] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.142] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.142] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.142] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.142] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\..") returned 145 [0085.142] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.142] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.142] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.142] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.142] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0085.142] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.142] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.142] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.142] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.143] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0085.143] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.143] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0085.143] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.143] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0085.143] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.144] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x107, lpOverlapped=0x0) returned 1 [0085.145] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.145] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x107, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x107, lpOverlapped=0x0) returned 1 [0085.145] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.145] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.145] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.145] CloseHandle (hObject=0x200) returned 1 [0085.145] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.protected") returned 166 [0085.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.protected")) returned 1 [0085.146] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.146] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.146] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.147] lstrlenA (lpString="EMPTY") returned 5 [0085.147] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.147] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.148] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.148] CloseHandle (hObject=0x1fc) returned 1 [0085.148] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.148] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0085.148] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0085.148] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0085.148] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0085.148] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0085.148] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu") returned 142 [0085.148] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0085.148] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0085.148] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*") returned 144 [0085.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.148] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.148] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.148] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.148] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.148] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.148] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\.") returned 144 [0085.148] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.149] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.149] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.149] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.149] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.149] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.149] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.149] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\..") returned 145 [0085.149] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.149] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.149] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.149] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.149] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.149] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.149] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.149] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.149] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0085.149] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.149] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.149] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.149] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.149] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0085.149] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.149] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0085.150] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.150] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0085.150] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.150] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0085.150] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.150] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0085.150] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.151] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.151] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.151] CloseHandle (hObject=0x200) returned 1 [0085.151] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.protected") returned 166 [0085.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.protected")) returned 1 [0085.151] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.151] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.151] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.152] lstrlenA (lpString="EMPTY") returned 5 [0085.152] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.152] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.152] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.153] CloseHandle (hObject=0x1fc) returned 1 [0085.153] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.153] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0085.153] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0085.153] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0085.153] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0085.153] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0085.153] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id") returned 142 [0085.153] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0085.153] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0085.153] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*") returned 144 [0085.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.153] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.153] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.153] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.153] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.153] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.153] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\.") returned 144 [0085.153] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.153] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.154] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.154] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.154] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.154] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.154] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.154] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\..") returned 145 [0085.154] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.154] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.154] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.154] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.154] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.154] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.154] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.154] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.154] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0085.154] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.154] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.154] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.154] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0085.155] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0085.155] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0085.155] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.155] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x105, lpOverlapped=0x0) returned 1 [0085.156] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.156] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x105, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x105, lpOverlapped=0x0) returned 1 [0085.156] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.156] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.157] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.157] CloseHandle (hObject=0x200) returned 1 [0085.157] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.protected") returned 166 [0085.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.protected")) returned 1 [0085.158] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.158] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.158] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.158] lstrlenA (lpString="EMPTY") returned 5 [0085.158] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.159] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.159] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.159] CloseHandle (hObject=0x1fc) returned 1 [0085.159] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.159] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0085.159] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0085.159] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0085.159] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0085.159] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0085.159] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it") returned 142 [0085.159] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0085.159] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0085.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*") returned 144 [0085.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\.") returned 144 [0085.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.160] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\..") returned 145 [0085.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.160] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.160] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.160] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.160] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.160] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.160] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0085.161] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.161] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.161] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.161] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0085.161] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0085.161] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0085.161] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.161] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x102, lpOverlapped=0x0) returned 1 [0085.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.162] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x102, lpOverlapped=0x0) returned 1 [0085.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.162] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.162] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.163] CloseHandle (hObject=0x200) returned 1 [0085.163] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.protected") returned 166 [0085.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.protected")) returned 1 [0085.163] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.163] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.163] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.164] lstrlenA (lpString="EMPTY") returned 5 [0085.164] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.165] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.165] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.165] CloseHandle (hObject=0x1fc) returned 1 [0085.165] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.165] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0085.165] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0085.165] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0085.165] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0085.165] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0085.165] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja") returned 142 [0085.165] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0085.165] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0085.165] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*") returned 144 [0085.165] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.166] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.166] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.166] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.166] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.166] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.166] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\.") returned 144 [0085.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.166] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.166] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.166] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.166] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.166] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.166] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.166] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\..") returned 145 [0085.166] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.166] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.166] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.166] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.166] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.166] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.166] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.166] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.166] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0085.166] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.166] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.166] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.166] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0085.167] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0085.167] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0085.168] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.168] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x125, lpOverlapped=0x0) returned 1 [0085.169] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffedb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.169] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x125, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x125, lpOverlapped=0x0) returned 1 [0085.169] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.169] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.169] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.169] CloseHandle (hObject=0x200) returned 1 [0085.169] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.protected") returned 166 [0085.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.protected")) returned 1 [0085.170] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.170] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.170] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.170] lstrlenA (lpString="EMPTY") returned 5 [0085.171] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.171] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.171] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.171] CloseHandle (hObject=0x1fc) returned 1 [0085.172] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.172] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0085.172] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0085.172] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0085.172] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0085.172] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0085.172] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko") returned 142 [0085.172] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0085.172] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0085.172] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*") returned 144 [0085.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.172] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.172] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.172] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.172] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.172] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.172] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\.") returned 144 [0085.172] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.172] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.172] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.172] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.172] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.173] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.173] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.173] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\..") returned 145 [0085.173] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.173] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.173] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.173] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.173] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.173] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.173] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.173] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.173] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0085.173] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.173] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.173] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.173] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0085.173] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0085.173] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0085.173] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.174] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x119, lpOverlapped=0x0) returned 1 [0085.174] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.174] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x119, lpOverlapped=0x0) returned 1 [0085.175] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.175] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.175] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.175] CloseHandle (hObject=0x200) returned 1 [0085.175] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.protected") returned 166 [0085.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.protected")) returned 1 [0085.176] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.176] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.176] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.176] lstrlenA (lpString="EMPTY") returned 5 [0085.176] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.177] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.177] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.177] CloseHandle (hObject=0x1fc) returned 1 [0085.177] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.177] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0085.177] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0085.177] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0085.177] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0085.177] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0085.177] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt") returned 142 [0085.177] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0085.177] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0085.178] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*") returned 144 [0085.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.178] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\.") returned 144 [0085.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.178] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.178] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.178] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.178] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.178] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.178] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\..") returned 145 [0085.178] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.178] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.178] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.178] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.178] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.178] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.178] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.178] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.178] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0085.178] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.178] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.178] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.179] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0085.180] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0085.180] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0085.180] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.180] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x11d, lpOverlapped=0x0) returned 1 [0085.181] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.181] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x11d, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x11d, lpOverlapped=0x0) returned 1 [0085.181] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.181] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.181] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.181] CloseHandle (hObject=0x200) returned 1 [0085.181] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.protected") returned 166 [0085.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.protected")) returned 1 [0085.182] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.182] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.182] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.182] lstrlenA (lpString="EMPTY") returned 5 [0085.182] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.183] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.183] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.183] CloseHandle (hObject=0x1fc) returned 1 [0085.184] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.184] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0085.184] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0085.184] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0085.184] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0085.184] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0085.184] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv") returned 142 [0085.184] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0085.184] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0085.184] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*") returned 144 [0085.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.184] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.184] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.184] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.184] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.184] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.184] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\.") returned 144 [0085.184] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.184] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.185] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.185] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.185] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.185] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.185] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.185] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\..") returned 145 [0085.185] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.185] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.185] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.185] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.185] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.185] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.185] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.185] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.185] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0085.185] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.185] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.185] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.185] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0085.186] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0085.186] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0085.186] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.186] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x102, lpOverlapped=0x0) returned 1 [0085.187] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.187] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x102, lpOverlapped=0x0) returned 1 [0085.187] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.187] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.187] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.187] CloseHandle (hObject=0x200) returned 1 [0085.188] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.protected") returned 166 [0085.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.protected")) returned 1 [0085.188] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.188] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.189] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.189] lstrlenA (lpString="EMPTY") returned 5 [0085.189] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.190] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.190] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.190] CloseHandle (hObject=0x1fc) returned 1 [0085.190] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.190] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0085.190] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0085.190] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0085.190] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0085.190] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0085.190] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms") returned 142 [0085.190] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0085.190] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0085.190] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*") returned 144 [0085.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.191] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.191] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.191] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.191] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.191] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.191] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\.") returned 144 [0085.191] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.191] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.191] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.191] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.191] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.191] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.191] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.191] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\..") returned 145 [0085.191] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.191] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.191] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.191] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.191] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.191] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.191] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.191] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.191] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0085.191] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.191] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.191] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.191] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.194] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0085.195] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0085.195] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0085.195] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.195] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0085.196] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.196] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0085.196] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.196] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.196] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.196] CloseHandle (hObject=0x200) returned 1 [0085.196] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.protected") returned 166 [0085.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.protected")) returned 1 [0085.197] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.197] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.197] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.198] lstrlenA (lpString="EMPTY") returned 5 [0085.198] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.198] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.198] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.199] CloseHandle (hObject=0x1fc) returned 1 [0085.199] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.199] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0085.199] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0085.199] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0085.199] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0085.199] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0085.199] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl") returned 142 [0085.199] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0085.199] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0085.199] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*") returned 144 [0085.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.199] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\.") returned 144 [0085.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.199] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.200] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\..") returned 145 [0085.200] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.200] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.200] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.200] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.200] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.200] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.200] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.200] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.200] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0085.200] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.200] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.200] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.200] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0085.200] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0085.200] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0085.200] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.200] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf2, lpOverlapped=0x0) returned 1 [0085.201] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.201] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf2, lpOverlapped=0x0) returned 1 [0085.202] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.202] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.202] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.202] CloseHandle (hObject=0x200) returned 1 [0085.202] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.protected") returned 166 [0085.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.protected")) returned 1 [0085.202] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.203] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.203] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.203] lstrlenA (lpString="EMPTY") returned 5 [0085.203] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.204] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.204] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.204] CloseHandle (hObject=0x1fc) returned 1 [0085.204] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.204] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0085.204] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0085.204] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0085.204] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0085.204] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0085.204] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no") returned 142 [0085.204] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0085.204] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0085.204] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*") returned 144 [0085.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.205] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.205] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.205] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.205] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.205] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.205] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\.") returned 144 [0085.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.205] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.205] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.205] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.205] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.205] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.205] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\..") returned 145 [0085.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.205] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.205] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.205] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.205] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.205] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.205] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.205] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0085.205] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.205] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.205] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.205] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0085.206] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0085.206] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0085.206] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.207] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0085.207] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.207] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0085.208] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.208] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.209] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.209] CloseHandle (hObject=0x200) returned 1 [0085.209] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.protected") returned 166 [0085.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.protected")) returned 1 [0085.210] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.210] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.210] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.210] lstrlenA (lpString="EMPTY") returned 5 [0085.210] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.211] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.211] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.211] CloseHandle (hObject=0x1fc) returned 1 [0085.211] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.211] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0085.211] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0085.211] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0085.211] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0085.211] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0085.211] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl") returned 142 [0085.211] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0085.211] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0085.211] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*") returned 144 [0085.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.212] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.212] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.212] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.212] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.212] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\.") returned 144 [0085.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.212] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.212] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.212] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.212] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.212] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.212] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.212] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\..") returned 145 [0085.212] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.212] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.212] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.212] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.212] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.212] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.212] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.212] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0085.212] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.212] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.212] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.212] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0085.213] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0085.213] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0085.213] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.213] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x101, lpOverlapped=0x0) returned 1 [0085.214] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.214] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x101, lpOverlapped=0x0) returned 1 [0085.214] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.214] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.214] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.214] CloseHandle (hObject=0x200) returned 1 [0085.214] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.protected") returned 166 [0085.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.protected")) returned 1 [0085.215] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.215] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.215] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.215] lstrlenA (lpString="EMPTY") returned 5 [0085.215] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.216] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.216] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.216] CloseHandle (hObject=0x1fc) returned 1 [0085.216] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.216] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0085.216] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0085.216] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0085.216] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0085.216] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0085.216] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR") returned 145 [0085.216] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0085.217] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0085.217] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*") returned 147 [0085.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.217] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.217] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.217] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.217] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.217] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\.") returned 147 [0085.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.217] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.217] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.217] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.217] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.217] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.217] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.217] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\..") returned 148 [0085.217] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.217] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.217] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.217] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.217] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.217] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.217] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.217] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.217] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0085.218] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.218] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.218] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.218] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0085.219] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0085.219] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0085.219] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.219] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf6, lpOverlapped=0x0) returned 1 [0085.220] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.220] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf6, lpOverlapped=0x0) returned 1 [0085.220] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.220] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.220] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.220] CloseHandle (hObject=0x200) returned 1 [0085.220] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json.protected") returned 169 [0085.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0085.221] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.221] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.221] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.221] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.221] lstrlenA (lpString="EMPTY") returned 5 [0085.221] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.222] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.222] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.222] CloseHandle (hObject=0x1fc) returned 1 [0085.222] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.222] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0085.222] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0085.222] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0085.222] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0085.222] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0085.222] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT") returned 145 [0085.222] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0085.222] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0085.222] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*") returned 147 [0085.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.223] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.223] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.223] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.223] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.223] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.223] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\.") returned 147 [0085.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.223] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.223] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.223] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.223] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.223] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.223] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.223] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\..") returned 148 [0085.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.223] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.223] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.223] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.223] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.223] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.223] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.223] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0085.223] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.223] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.223] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.223] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0085.224] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0085.224] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0085.224] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.224] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0085.224] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.225] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0085.225] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.225] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.225] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.225] CloseHandle (hObject=0x200) returned 1 [0085.225] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json.protected") returned 169 [0085.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0085.225] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.225] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.226] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.226] lstrlenA (lpString="EMPTY") returned 5 [0085.226] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.226] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.226] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.227] CloseHandle (hObject=0x1fc) returned 1 [0085.227] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.227] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0085.227] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0085.227] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0085.227] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0085.227] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0085.227] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro") returned 142 [0085.227] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0085.227] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0085.227] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*") returned 144 [0085.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.227] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\.") returned 144 [0085.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.227] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.227] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.227] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\..") returned 145 [0085.227] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.227] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.227] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.228] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.228] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.228] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.228] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.228] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.228] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0085.228] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.228] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.228] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.228] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0085.229] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0085.229] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0085.229] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.229] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x119, lpOverlapped=0x0) returned 1 [0085.229] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.229] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x119, lpOverlapped=0x0) returned 1 [0085.230] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.230] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.230] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.230] CloseHandle (hObject=0x200) returned 1 [0085.230] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.protected") returned 166 [0085.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.protected")) returned 1 [0085.231] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.231] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.231] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.231] lstrlenA (lpString="EMPTY") returned 5 [0085.231] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.232] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.232] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.232] CloseHandle (hObject=0x1fc) returned 1 [0085.232] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.232] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0085.232] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0085.232] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0085.232] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0085.232] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0085.232] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru") returned 142 [0085.232] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0085.232] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0085.232] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*") returned 144 [0085.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.232] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.232] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.232] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.232] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.232] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.232] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\.") returned 144 [0085.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.232] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.233] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.233] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.233] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.233] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.233] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.233] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\..") returned 145 [0085.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.233] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.233] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.233] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.233] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.233] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.233] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.233] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0085.233] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.233] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.233] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.233] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0085.233] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0085.233] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0085.233] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.233] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x152, lpOverlapped=0x0) returned 1 [0085.234] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.234] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x152, lpOverlapped=0x0) returned 1 [0085.234] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.234] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.234] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.234] CloseHandle (hObject=0x200) returned 1 [0085.235] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.protected") returned 166 [0085.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.protected")) returned 1 [0085.235] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.235] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.235] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.235] lstrlenA (lpString="EMPTY") returned 5 [0085.236] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.236] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.236] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.236] CloseHandle (hObject=0x1fc) returned 1 [0085.237] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.237] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0085.237] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0085.237] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0085.237] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0085.237] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0085.237] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk") returned 142 [0085.237] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0085.237] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0085.237] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*") returned 144 [0085.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.237] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\.") returned 144 [0085.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.237] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.237] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\..") returned 145 [0085.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.237] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.237] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.237] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.237] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.237] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.237] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.237] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0085.237] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.237] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.237] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.238] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0085.238] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0085.239] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0085.239] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.239] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x112, lpOverlapped=0x0) returned 1 [0085.239] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.239] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x112, lpOverlapped=0x0) returned 1 [0085.239] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.239] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.240] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.240] CloseHandle (hObject=0x200) returned 1 [0085.240] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.protected") returned 166 [0085.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.protected")) returned 1 [0085.240] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.240] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.240] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.241] lstrlenA (lpString="EMPTY") returned 5 [0085.241] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.242] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.242] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.242] CloseHandle (hObject=0x1fc) returned 1 [0085.242] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.242] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0085.242] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0085.242] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0085.242] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0085.242] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0085.242] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl") returned 142 [0085.242] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0085.242] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0085.242] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*") returned 144 [0085.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.243] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\.") returned 144 [0085.243] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.243] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.243] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\..") returned 145 [0085.243] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.243] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.243] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.243] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.243] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.243] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.243] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.243] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0085.243] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.243] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.243] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.243] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0085.244] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0085.244] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0085.244] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.244] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10c, lpOverlapped=0x0) returned 1 [0085.245] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.245] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10c, lpOverlapped=0x0) returned 1 [0085.245] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.245] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.245] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.245] CloseHandle (hObject=0x200) returned 1 [0085.245] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.protected") returned 166 [0085.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.protected")) returned 1 [0085.246] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.246] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.246] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.247] lstrlenA (lpString="EMPTY") returned 5 [0085.247] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.247] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.247] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.247] CloseHandle (hObject=0x1fc) returned 1 [0085.248] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.248] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0085.248] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0085.248] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0085.248] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0085.248] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0085.248] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr") returned 142 [0085.248] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0085.248] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0085.248] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*") returned 144 [0085.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.248] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.248] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.248] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.248] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.248] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.248] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\.") returned 144 [0085.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.248] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.248] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.248] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.248] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.248] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.248] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.248] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\..") returned 145 [0085.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.248] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.248] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.248] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.248] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.248] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.249] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.249] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0085.249] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.249] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.249] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.249] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0085.249] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0085.250] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0085.250] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.250] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x11f, lpOverlapped=0x0) returned 1 [0085.250] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.250] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x11f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x11f, lpOverlapped=0x0) returned 1 [0085.250] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.250] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.251] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.251] CloseHandle (hObject=0x200) returned 1 [0085.251] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.protected") returned 166 [0085.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.protected")) returned 1 [0085.251] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.251] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.251] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.252] lstrlenA (lpString="EMPTY") returned 5 [0085.252] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.253] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.253] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.253] CloseHandle (hObject=0x1fc) returned 1 [0085.253] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.253] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0085.253] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0085.253] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0085.253] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0085.253] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0085.253] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv") returned 142 [0085.253] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0085.253] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0085.253] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*") returned 144 [0085.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.253] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.253] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.253] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.253] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.253] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.253] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\.") returned 144 [0085.253] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.253] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.253] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.253] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.253] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.253] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.254] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.254] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\..") returned 145 [0085.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.254] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.254] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.254] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.254] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.254] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.254] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.254] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0085.254] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.254] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.254] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.254] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0085.254] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0085.254] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0085.254] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.254] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfd, lpOverlapped=0x0) returned 1 [0085.255] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.255] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfd, lpOverlapped=0x0) returned 1 [0085.255] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.255] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.255] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.255] CloseHandle (hObject=0x200) returned 1 [0085.255] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.protected") returned 166 [0085.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.protected")) returned 1 [0085.256] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.256] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.256] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.256] lstrlenA (lpString="EMPTY") returned 5 [0085.256] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.257] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.257] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.257] CloseHandle (hObject=0x1fc) returned 1 [0085.257] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.257] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0085.257] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0085.257] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0085.257] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0085.257] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0085.258] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th") returned 142 [0085.258] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0085.258] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0085.258] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*") returned 144 [0085.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.258] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.258] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.258] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.258] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.258] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.258] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\.") returned 144 [0085.258] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.258] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.258] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.258] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.258] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.258] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.258] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.258] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\..") returned 145 [0085.258] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.258] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.258] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.258] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.258] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.258] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.258] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.258] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.258] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0085.258] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.258] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.258] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.258] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.259] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0085.259] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.259] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0085.259] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.259] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0085.259] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.259] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x164, lpOverlapped=0x0) returned 1 [0085.260] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.260] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x164, lpOverlapped=0x0) returned 1 [0085.260] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.260] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.260] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.261] CloseHandle (hObject=0x200) returned 1 [0085.261] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.protected") returned 166 [0085.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.protected")) returned 1 [0085.261] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.261] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.261] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.262] lstrlenA (lpString="EMPTY") returned 5 [0085.262] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.262] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.262] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.263] CloseHandle (hObject=0x1fc) returned 1 [0085.263] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.263] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0085.263] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0085.263] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0085.263] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0085.263] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0085.263] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr") returned 142 [0085.263] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0085.263] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0085.263] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*") returned 144 [0085.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.263] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.263] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.263] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.263] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.263] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.263] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\.") returned 144 [0085.263] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.263] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.263] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.263] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.263] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.263] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.264] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.264] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\..") returned 145 [0085.264] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.264] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.264] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.264] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.264] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.264] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.264] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.264] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0085.264] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.264] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.264] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.264] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0085.264] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0085.264] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0085.264] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.264] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10e, lpOverlapped=0x0) returned 1 [0085.265] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.265] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10e, lpOverlapped=0x0) returned 1 [0085.265] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.265] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.265] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.265] CloseHandle (hObject=0x200) returned 1 [0085.265] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.protected") returned 166 [0085.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.protected")) returned 1 [0085.266] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.266] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.266] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.266] lstrlenA (lpString="EMPTY") returned 5 [0085.266] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.267] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.267] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.267] CloseHandle (hObject=0x1fc) returned 1 [0085.267] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.267] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0085.267] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0085.267] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0085.267] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0085.267] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0085.267] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk") returned 142 [0085.267] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0085.267] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0085.268] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*") returned 144 [0085.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.268] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.268] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.268] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\.") returned 144 [0085.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.268] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.268] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.268] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.268] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.268] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.268] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\..") returned 145 [0085.268] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.268] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.268] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.268] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.268] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.268] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.268] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.268] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0085.268] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.268] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.268] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.268] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0085.269] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0085.269] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0085.269] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.269] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x161, lpOverlapped=0x0) returned 1 [0085.270] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.270] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x161, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x161, lpOverlapped=0x0) returned 1 [0085.270] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.270] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.270] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.270] CloseHandle (hObject=0x200) returned 1 [0085.270] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.protected") returned 166 [0085.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.protected")) returned 1 [0085.271] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.271] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.271] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.271] lstrlenA (lpString="EMPTY") returned 5 [0085.271] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.272] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.272] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.272] CloseHandle (hObject=0x1fc) returned 1 [0085.272] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.272] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0085.272] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0085.272] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0085.272] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0085.272] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0085.272] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi") returned 142 [0085.272] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0085.272] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0085.272] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*") returned 144 [0085.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.273] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.273] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.273] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.273] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.273] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\.") returned 144 [0085.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.273] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.273] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.273] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.273] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.273] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.273] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.273] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\..") returned 145 [0085.273] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.273] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.273] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.273] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.273] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.273] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.273] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.273] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.273] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0085.273] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.273] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.273] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.273] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0085.273] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0085.273] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0085.274] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.274] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x117, lpOverlapped=0x0) returned 1 [0085.274] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.274] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x117, lpOverlapped=0x0) returned 1 [0085.274] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.274] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.274] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.275] CloseHandle (hObject=0x200) returned 1 [0085.275] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.protected") returned 166 [0085.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.protected")) returned 1 [0085.275] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.275] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.276] lstrlenA (lpString="EMPTY") returned 5 [0085.276] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.277] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.277] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.277] CloseHandle (hObject=0x1fc) returned 1 [0085.277] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.277] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0085.277] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0085.277] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0085.277] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0085.277] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0085.277] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN") returned 145 [0085.277] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0085.277] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0085.277] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*") returned 147 [0085.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.278] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\.") returned 147 [0085.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.278] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.278] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\..") returned 148 [0085.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.278] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.278] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.278] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.278] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.278] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.278] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.278] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0085.278] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.278] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.278] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.279] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0085.280] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0085.280] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0085.280] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.280] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x111, lpOverlapped=0x0) returned 1 [0085.280] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.280] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x111, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x111, lpOverlapped=0x0) returned 1 [0085.281] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.281] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.281] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.281] CloseHandle (hObject=0x200) returned 1 [0085.281] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json.protected") returned 169 [0085.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0085.281] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.282] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.282] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.282] lstrlenA (lpString="EMPTY") returned 5 [0085.282] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.283] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.283] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.283] CloseHandle (hObject=0x1fc) returned 1 [0085.283] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.283] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0085.283] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0085.283] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0085.283] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0085.283] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0085.283] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW") returned 145 [0085.283] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0085.283] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0085.283] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*") returned 147 [0085.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.283] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.283] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\.") returned 147 [0085.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.284] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.284] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.284] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.284] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.284] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\..") returned 148 [0085.284] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.284] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.284] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.284] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.284] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.284] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.284] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0085.284] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.284] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.284] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.284] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0085.285] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0085.285] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0085.285] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.285] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10b, lpOverlapped=0x0) returned 1 [0085.285] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.286] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10b, lpOverlapped=0x0) returned 1 [0085.286] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.286] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.286] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.286] CloseHandle (hObject=0x200) returned 1 [0085.286] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json.protected") returned 169 [0085.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0085.287] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.287] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.287] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.287] lstrlenA (lpString="EMPTY") returned 5 [0085.287] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.288] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.288] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.288] CloseHandle (hObject=0x1fc) returned 1 [0085.288] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0085.288] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0085.288] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 169 [0085.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.325] lstrlenA (lpString="EMPTY") returned 5 [0085.325] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0085.326] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.326] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0085.326] CloseHandle (hObject=0x1f8) returned 1 [0085.326] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.326] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0085.326] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0085.326] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0085.326] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0085.326] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0085.326] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata") returned 140 [0085.326] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0085.326] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0085.326] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*") returned 142 [0085.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0085.327] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.327] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.327] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.327] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.327] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.327] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\.") returned 142 [0085.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.327] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.327] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.327] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.327] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.327] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.327] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.327] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\..") returned 143 [0085.327] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.327] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.327] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0085.327] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0085.327] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0085.327] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0085.327] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0085.327] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0085.327] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0085.327] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.327] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0085.327] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0085.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0085.333] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0085.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0085.333] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0085.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0085.333] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0085.333] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0085.366] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.366] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0085.366] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.366] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0085.366] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0085.366] CloseHandle (hObject=0x1fc) returned 1 [0085.367] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.protected") returned 173 [0085.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.protected")) returned 1 [0085.367] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0085.367] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0085.367] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 170 [0085.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.368] lstrlenA (lpString="EMPTY") returned 5 [0085.368] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0085.368] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.369] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0085.369] CloseHandle (hObject=0x1f8) returned 1 [0085.369] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0085.369] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0085.370] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 160 [0085.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0085.370] lstrlenA (lpString="EMPTY") returned 5 [0085.370] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0085.371] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.371] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.371] CloseHandle (hObject=0x1f4) returned 1 [0085.371] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0085.371] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0085.372] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0085.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0085.372] lstrlenA (lpString="EMPTY") returned 5 [0085.372] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0085.373] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.373] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0085.373] CloseHandle (hObject=0x1f0) returned 1 [0085.373] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0085.373] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Windows") returned -1 [0085.373] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Program Files") returned -1 [0085.373] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="Program Files (x86)") returned -1 [0085.373] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="$Recycle.bin") returned 1 [0085.373] lstrcmpiW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="System Volume Information") returned -1 [0085.373] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo") returned 123 [0085.373] lstrcmpW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2=".") returned 1 [0085.373] lstrcmpW (lpString1="blpcfgokakmgnkcojhhkbfbldkacnbeo", lpString2="..") returned 1 [0085.373] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*") returned 125 [0085.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0085.373] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.373] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.373] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.374] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.374] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.374] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\.") returned 125 [0085.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.374] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0085.374] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.374] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.374] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.374] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.374] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.374] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\..") returned 126 [0085.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.374] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0085.374] lstrcmpiW (lpString1="4.2.8_0", lpString2="Windows") returned -1 [0085.374] lstrcmpiW (lpString1="4.2.8_0", lpString2="Program Files") returned -1 [0085.374] lstrcmpiW (lpString1="4.2.8_0", lpString2="Program Files (x86)") returned -1 [0085.374] lstrcmpiW (lpString1="4.2.8_0", lpString2="$Recycle.bin") returned 1 [0085.374] lstrcmpiW (lpString1="4.2.8_0", lpString2="System Volume Information") returned -1 [0085.374] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0") returned 131 [0085.374] lstrcmpW (lpString1="4.2.8_0", lpString2=".") returned 1 [0085.374] lstrcmpW (lpString1="4.2.8_0", lpString2="..") returned 1 [0085.374] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*") returned 133 [0085.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0085.395] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.395] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.395] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.395] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.395] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.395] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\.") returned 133 [0085.395] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.395] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.395] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.396] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.396] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.396] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.396] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.396] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\..") returned 134 [0085.396] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.396] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.396] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.396] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0085.396] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0085.396] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0085.396] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0085.396] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0085.396] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0085.396] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0085.396] lstrcmpW (lpString1="128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0085.396] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.396] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0085.397] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0085.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0085.397] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0085.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0085.397] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0085.397] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xd4e, lpOverlapped=0x0) returned 1 [0085.408] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff2b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.408] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xd4e, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xd4e, lpOverlapped=0x0) returned 1 [0085.409] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.409] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.409] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.409] CloseHandle (hObject=0x1f8) returned 1 [0085.409] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.protected") returned 149 [0085.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.protected")) returned 1 [0085.410] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.410] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0085.410] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0085.410] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0085.410] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0085.410] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0085.410] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0085.410] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0085.410] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.410] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.410] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0085.411] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0085.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0085.411] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0085.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0085.411] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0085.411] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2d8, lpOverlapped=0x0) returned 1 [0085.412] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.412] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2d8, lpOverlapped=0x0) returned 1 [0085.413] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.413] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.413] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.413] CloseHandle (hObject=0x1f8) returned 1 [0085.414] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.protected") returned 155 [0085.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.protected")) returned 1 [0085.415] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.415] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0085.415] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0085.415] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0085.415] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0085.415] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0085.415] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales") returned 140 [0085.415] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0085.415] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0085.415] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*") returned 142 [0085.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0085.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.465] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\.") returned 142 [0085.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.465] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.465] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.465] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.465] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.465] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\..") returned 143 [0085.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.465] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.465] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0085.465] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0085.465] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0085.465] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0085.465] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0085.465] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar") returned 143 [0085.465] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0085.465] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0085.466] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*") returned 145 [0085.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.466] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.466] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.466] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.466] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.466] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.466] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\.") returned 145 [0085.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.466] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.466] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.466] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.466] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.466] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.466] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\..") returned 146 [0085.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.466] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.466] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.466] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.466] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.466] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.466] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.466] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0085.466] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.466] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.466] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.467] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0085.467] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0085.467] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0085.467] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.467] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.468] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.468] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.468] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.468] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.468] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.468] CloseHandle (hObject=0x200) returned 1 [0085.468] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.protected") returned 167 [0085.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.protected")) returned 1 [0085.469] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.469] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.469] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.469] lstrlenA (lpString="EMPTY") returned 5 [0085.469] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.470] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.470] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.470] CloseHandle (hObject=0x1fc) returned 1 [0085.470] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.470] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0085.470] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0085.470] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0085.470] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0085.470] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0085.471] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg") returned 143 [0085.471] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0085.471] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0085.471] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*") returned 145 [0085.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.471] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.471] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.471] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.471] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.471] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.471] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\.") returned 145 [0085.471] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.471] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.472] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.472] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.472] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.472] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.472] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\..") returned 146 [0085.472] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.472] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.472] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.472] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.472] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.472] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.472] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.472] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0085.472] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.472] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.472] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.472] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0085.472] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0085.472] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0085.472] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.472] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.473] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.473] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.473] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.474] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.474] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.474] CloseHandle (hObject=0x200) returned 1 [0085.474] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.protected") returned 167 [0085.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.protected")) returned 1 [0085.474] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.475] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.475] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.476] lstrlenA (lpString="EMPTY") returned 5 [0085.476] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.477] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.477] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.477] CloseHandle (hObject=0x1fc) returned 1 [0085.477] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.477] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0085.477] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0085.477] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0085.478] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0085.478] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0085.478] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca") returned 143 [0085.478] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0085.478] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0085.478] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*") returned 145 [0085.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.478] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\.") returned 145 [0085.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.478] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.478] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\..") returned 146 [0085.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.478] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.478] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.479] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.479] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.479] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.479] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0085.479] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.479] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.479] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.479] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0085.479] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0085.479] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0085.479] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.479] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.480] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.480] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.480] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.480] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.480] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.480] CloseHandle (hObject=0x200) returned 1 [0085.481] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.protected") returned 167 [0085.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.protected")) returned 1 [0085.481] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.481] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.481] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.482] lstrlenA (lpString="EMPTY") returned 5 [0085.482] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.482] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.482] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.482] CloseHandle (hObject=0x1fc) returned 1 [0085.482] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.483] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0085.483] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0085.483] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0085.483] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0085.483] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0085.483] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs") returned 143 [0085.483] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0085.483] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0085.483] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*") returned 145 [0085.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.484] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\.") returned 145 [0085.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.484] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.484] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\..") returned 146 [0085.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.484] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.484] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.484] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.484] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.484] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0085.484] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.484] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.484] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.484] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0085.485] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0085.485] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0085.485] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.485] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.486] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.486] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.486] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.486] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.486] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.487] CloseHandle (hObject=0x200) returned 1 [0085.487] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.protected") returned 167 [0085.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.protected")) returned 1 [0085.487] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.487] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.487] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.487] lstrlenA (lpString="EMPTY") returned 5 [0085.488] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.488] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.488] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.488] CloseHandle (hObject=0x1fc) returned 1 [0085.489] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.489] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0085.489] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0085.489] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0085.489] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0085.489] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0085.489] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da") returned 143 [0085.489] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0085.489] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0085.489] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*") returned 145 [0085.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.489] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.489] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.489] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.489] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.489] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.489] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\.") returned 145 [0085.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.489] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.489] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.489] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.489] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.489] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.489] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.489] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\..") returned 146 [0085.489] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.490] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.490] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.490] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.490] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.490] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.490] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.490] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0085.490] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.490] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.490] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.490] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.490] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0085.490] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.490] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0085.490] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.490] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0085.490] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.490] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.491] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.491] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.491] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.491] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.491] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.491] CloseHandle (hObject=0x200) returned 1 [0085.491] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.protected") returned 167 [0085.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.protected")) returned 1 [0085.492] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.492] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.492] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.492] lstrlenA (lpString="EMPTY") returned 5 [0085.492] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.493] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.493] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.493] CloseHandle (hObject=0x1fc) returned 1 [0085.493] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.493] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0085.493] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0085.493] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0085.493] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0085.493] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0085.493] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de") returned 143 [0085.493] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0085.493] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0085.493] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*") returned 145 [0085.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.494] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.494] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.494] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.494] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.494] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.494] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\.") returned 145 [0085.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.494] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.494] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.494] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.494] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.494] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.494] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\..") returned 146 [0085.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.494] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.494] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.494] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.494] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.494] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.494] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.495] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0085.495] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.495] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.495] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.495] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0085.495] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0085.495] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0085.495] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.495] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.496] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.496] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.496] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.496] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.496] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.496] CloseHandle (hObject=0x200) returned 1 [0085.496] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.protected") returned 167 [0085.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.protected")) returned 1 [0085.497] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.497] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.497] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.497] lstrlenA (lpString="EMPTY") returned 5 [0085.497] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.498] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.498] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.498] CloseHandle (hObject=0x1fc) returned 1 [0085.498] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.498] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0085.498] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0085.498] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0085.498] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0085.498] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0085.498] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el") returned 143 [0085.498] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0085.499] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0085.499] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*") returned 145 [0085.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.499] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.499] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.499] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.499] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.499] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.499] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\.") returned 145 [0085.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.499] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.499] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.499] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.499] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.499] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.499] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.499] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\..") returned 146 [0085.499] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.499] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.499] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.499] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.499] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.499] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.499] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.499] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0085.499] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.499] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.499] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.499] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0085.500] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0085.500] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0085.500] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.500] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.501] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.501] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.501] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.501] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.501] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.501] CloseHandle (hObject=0x200) returned 1 [0085.501] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.protected") returned 167 [0085.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.protected")) returned 1 [0085.502] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.502] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.502] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.502] lstrlenA (lpString="EMPTY") returned 5 [0085.502] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.503] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.503] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.503] CloseHandle (hObject=0x1fc) returned 1 [0085.503] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.503] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0085.503] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0085.503] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0085.503] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0085.503] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0085.503] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en") returned 143 [0085.503] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0085.503] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0085.503] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*") returned 145 [0085.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.504] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.504] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\.") returned 145 [0085.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.504] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.504] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\..") returned 146 [0085.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.504] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.504] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.504] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.504] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.504] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.504] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.504] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0085.504] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.504] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.504] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.505] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0085.505] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0085.505] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0085.505] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.505] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.506] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.506] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.506] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.506] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.506] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.506] CloseHandle (hObject=0x200) returned 1 [0085.506] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.protected") returned 167 [0085.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.protected")) returned 1 [0085.507] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.507] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.507] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.507] lstrlenA (lpString="EMPTY") returned 5 [0085.507] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.508] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.508] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.508] CloseHandle (hObject=0x1fc) returned 1 [0085.508] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.508] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0085.508] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0085.508] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0085.508] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0085.508] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0085.508] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es") returned 143 [0085.508] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0085.508] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0085.508] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*") returned 145 [0085.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.509] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\.") returned 145 [0085.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.509] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.509] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\..") returned 146 [0085.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.509] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.509] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.509] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.509] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.509] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.509] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.509] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0085.509] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.509] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.509] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.509] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0085.510] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0085.510] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0085.510] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.510] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.510] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.511] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.511] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.511] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.511] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.511] CloseHandle (hObject=0x200) returned 1 [0085.511] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.protected") returned 167 [0085.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.protected")) returned 1 [0085.511] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.512] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.512] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.512] lstrlenA (lpString="EMPTY") returned 5 [0085.512] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.513] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.513] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.513] CloseHandle (hObject=0x1fc) returned 1 [0085.520] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.520] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0085.520] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0085.520] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0085.521] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0085.521] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0085.521] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi") returned 143 [0085.521] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0085.521] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0085.521] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*") returned 145 [0085.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.522] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\.") returned 145 [0085.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.522] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.522] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\..") returned 146 [0085.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.522] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.522] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.522] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.522] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.522] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.522] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.522] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0085.522] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.522] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.522] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.523] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0085.523] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0085.523] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0085.523] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.523] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.524] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.524] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.524] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.524] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.524] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.525] CloseHandle (hObject=0x200) returned 1 [0085.525] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.protected") returned 167 [0085.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.protected")) returned 1 [0085.525] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.525] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.525] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.526] lstrlenA (lpString="EMPTY") returned 5 [0085.526] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.527] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.527] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.527] CloseHandle (hObject=0x1fc) returned 1 [0085.527] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.527] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0085.527] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0085.527] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0085.527] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0085.527] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0085.527] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil") returned 144 [0085.527] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0085.527] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0085.527] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*") returned 146 [0085.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.528] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\.") returned 146 [0085.528] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.528] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.528] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.528] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.528] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.528] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.528] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\..") returned 147 [0085.528] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.528] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.528] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.528] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.528] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.528] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.528] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.528] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.528] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0085.528] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.529] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.529] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.529] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0085.529] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0085.529] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0085.529] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.529] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.530] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.530] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.530] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.530] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.531] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.531] CloseHandle (hObject=0x200) returned 1 [0085.531] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.protected") returned 168 [0085.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.protected")) returned 1 [0085.531] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.532] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.532] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0085.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.532] lstrlenA (lpString="EMPTY") returned 5 [0085.532] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.533] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.533] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.533] CloseHandle (hObject=0x1fc) returned 1 [0085.533] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.533] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0085.533] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0085.533] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0085.533] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0085.533] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0085.533] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr") returned 143 [0085.533] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0085.533] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0085.534] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*") returned 145 [0085.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.534] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.534] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.534] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.534] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.534] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\.") returned 145 [0085.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.535] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\..") returned 146 [0085.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.535] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.535] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.535] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.535] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0085.535] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.535] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.535] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.535] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0085.536] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0085.536] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0085.536] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.536] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.537] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.537] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.537] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.537] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.537] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.537] CloseHandle (hObject=0x200) returned 1 [0085.537] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.protected") returned 167 [0085.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.protected")) returned 1 [0085.538] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.538] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.538] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.539] lstrlenA (lpString="EMPTY") returned 5 [0085.539] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.540] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.540] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.540] CloseHandle (hObject=0x1fc) returned 1 [0085.540] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.540] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0085.540] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0085.540] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0085.540] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0085.540] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0085.540] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he") returned 143 [0085.540] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0085.540] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0085.540] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*") returned 145 [0085.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.540] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.540] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.540] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.541] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.541] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\.") returned 145 [0085.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.541] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.541] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.541] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.541] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.541] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\..") returned 146 [0085.541] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.541] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.541] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.541] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.541] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.541] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.541] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.541] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0085.541] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.541] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.541] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.541] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0085.542] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0085.542] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0085.542] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.542] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.543] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.543] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.543] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.543] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.543] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.543] CloseHandle (hObject=0x200) returned 1 [0085.544] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.protected") returned 167 [0085.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.protected")) returned 1 [0085.544] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.544] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.544] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.545] lstrlenA (lpString="EMPTY") returned 5 [0085.545] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.546] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.546] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.546] CloseHandle (hObject=0x1fc) returned 1 [0085.546] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.546] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0085.546] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0085.546] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0085.546] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0085.546] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0085.546] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi") returned 143 [0085.546] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0085.546] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0085.546] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*") returned 145 [0085.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.586] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.586] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.586] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.586] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.586] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.586] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\.") returned 145 [0085.586] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.586] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.586] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.586] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.586] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.586] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.586] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.586] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\..") returned 146 [0085.587] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.587] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.587] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.587] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.587] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.587] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.587] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.587] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.587] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0085.587] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.587] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.587] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.587] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.587] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0085.587] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.587] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0085.587] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.587] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0085.588] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.588] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.588] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.588] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.589] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.589] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.589] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.589] CloseHandle (hObject=0x200) returned 1 [0085.589] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.protected") returned 167 [0085.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.protected")) returned 1 [0085.590] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.590] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.590] lstrlenA (lpString="EMPTY") returned 5 [0085.590] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.591] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.591] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.591] CloseHandle (hObject=0x1fc) returned 1 [0085.592] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.592] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0085.592] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0085.592] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0085.592] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0085.592] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0085.592] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr") returned 143 [0085.592] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0085.592] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0085.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*") returned 145 [0085.592] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.592] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.592] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.592] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\.") returned 145 [0085.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.592] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\..") returned 146 [0085.593] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.593] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.593] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.593] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.593] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.593] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.593] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.593] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.593] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0085.593] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.593] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.593] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.593] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0085.594] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0085.594] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0085.594] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.594] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.595] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.595] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.595] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.595] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.595] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.595] CloseHandle (hObject=0x200) returned 1 [0085.595] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.protected") returned 167 [0085.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.protected")) returned 1 [0085.596] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.596] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.596] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.597] lstrlenA (lpString="EMPTY") returned 5 [0085.597] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.600] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.600] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.600] CloseHandle (hObject=0x1fc) returned 1 [0085.600] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.600] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0085.600] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0085.601] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0085.601] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0085.601] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0085.601] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu") returned 143 [0085.601] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0085.601] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0085.601] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*") returned 145 [0085.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.602] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.602] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.602] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.602] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.602] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.602] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\.") returned 145 [0085.602] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.602] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.602] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.602] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.602] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.602] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.602] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.602] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\..") returned 146 [0085.602] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.602] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.603] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.603] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.603] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.603] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.603] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.603] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0085.603] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.603] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.603] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.603] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0085.603] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0085.603] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0085.603] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.603] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.611] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.611] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.611] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.611] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.611] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.611] CloseHandle (hObject=0x200) returned 1 [0085.611] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.protected") returned 167 [0085.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.protected")) returned 1 [0085.612] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.612] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.612] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.613] lstrlenA (lpString="EMPTY") returned 5 [0085.613] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.614] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.614] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.614] CloseHandle (hObject=0x1fc) returned 1 [0085.614] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.614] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0085.614] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0085.614] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0085.614] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0085.614] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0085.614] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 143 [0085.614] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0085.615] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0085.615] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*") returned 145 [0085.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.615] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.615] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.615] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.615] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.615] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.615] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\.") returned 145 [0085.615] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.615] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.615] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.615] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.615] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.615] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.615] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.615] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\..") returned 146 [0085.615] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.615] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.615] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.615] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.615] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.615] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.615] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.615] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0085.616] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.616] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.616] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.616] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.616] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0085.616] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.616] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0085.616] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.616] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0085.616] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.616] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.618] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.618] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.618] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.618] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.619] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.619] CloseHandle (hObject=0x200) returned 1 [0085.619] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.protected") returned 167 [0085.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.protected")) returned 1 [0085.619] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.620] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.620] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.620] lstrlenA (lpString="EMPTY") returned 5 [0085.620] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.621] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.621] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.621] CloseHandle (hObject=0x1fc) returned 1 [0085.621] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.621] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0085.621] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0085.621] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0085.621] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0085.621] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0085.621] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 143 [0085.621] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0085.622] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0085.622] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*") returned 145 [0085.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.622] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.622] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\.") returned 145 [0085.623] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.623] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\..") returned 146 [0085.623] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.623] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.623] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.623] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.623] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.623] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0085.623] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.623] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.623] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.623] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0085.624] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0085.624] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0085.624] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.624] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.625] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.625] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.625] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.625] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.625] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.625] CloseHandle (hObject=0x200) returned 1 [0085.625] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.protected") returned 167 [0085.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.protected")) returned 1 [0085.626] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.626] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.626] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.626] lstrlenA (lpString="EMPTY") returned 5 [0085.626] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.627] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.627] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.629] CloseHandle (hObject=0x1fc) returned 1 [0085.629] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.629] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0085.629] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0085.629] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0085.629] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0085.629] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0085.629] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja") returned 143 [0085.629] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0085.629] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0085.629] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*") returned 145 [0085.629] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.630] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.630] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.630] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.630] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.630] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.630] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\.") returned 145 [0085.630] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.630] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.630] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.630] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.630] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.630] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.630] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.630] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\..") returned 146 [0085.630] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.630] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.630] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.630] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.630] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.630] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.630] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.630] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.630] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0085.630] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.630] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.630] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.630] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0085.631] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0085.631] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0085.631] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.631] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.633] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.634] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.634] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.634] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.634] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.634] CloseHandle (hObject=0x200) returned 1 [0085.634] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.protected") returned 167 [0085.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.protected")) returned 1 [0085.635] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.635] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.635] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.635] lstrlenA (lpString="EMPTY") returned 5 [0085.635] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.638] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.638] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.638] CloseHandle (hObject=0x1fc) returned 1 [0085.638] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.638] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0085.639] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0085.639] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0085.639] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0085.639] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0085.639] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko") returned 143 [0085.639] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0085.639] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0085.639] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*") returned 145 [0085.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.653] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.654] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.654] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.654] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.654] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.654] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\.") returned 145 [0085.654] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.654] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.654] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.654] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.654] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.654] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.654] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.654] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\..") returned 146 [0085.654] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.654] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.654] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.654] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.654] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.654] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.654] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.654] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.654] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0085.654] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.654] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.654] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.654] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0085.655] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0085.655] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0085.655] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.655] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.656] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.656] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.656] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.656] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.656] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.656] CloseHandle (hObject=0x200) returned 1 [0085.656] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.protected") returned 167 [0085.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.protected")) returned 1 [0085.657] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.657] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.657] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.658] lstrlenA (lpString="EMPTY") returned 5 [0085.658] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.658] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.658] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.658] CloseHandle (hObject=0x1fc) returned 1 [0085.658] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.658] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0085.658] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0085.658] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0085.658] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0085.659] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0085.659] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt") returned 143 [0085.659] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0085.659] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0085.659] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*") returned 145 [0085.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.659] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.659] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.659] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.659] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.659] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.659] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\.") returned 145 [0085.660] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.660] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.660] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.660] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.660] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.660] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.660] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.660] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\..") returned 146 [0085.660] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.660] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.660] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.660] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.660] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.660] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.660] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.660] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.660] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0085.660] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.660] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.660] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.660] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0085.661] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0085.661] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0085.661] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.663] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.664] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.664] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.664] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.664] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.664] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.664] CloseHandle (hObject=0x200) returned 1 [0085.664] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.protected") returned 167 [0085.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.protected")) returned 1 [0085.665] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.665] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.665] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.666] lstrlenA (lpString="EMPTY") returned 5 [0085.666] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.666] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.666] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.667] CloseHandle (hObject=0x1fc) returned 1 [0085.667] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.667] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0085.667] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0085.667] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0085.667] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0085.667] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0085.667] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv") returned 143 [0085.667] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0085.667] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0085.667] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*") returned 145 [0085.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.675] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.675] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.676] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\.") returned 145 [0085.676] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.676] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.676] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.676] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.676] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.676] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.676] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.676] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\..") returned 146 [0085.676] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.676] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.676] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.676] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.676] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.676] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.676] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.676] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.676] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0085.676] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.676] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.676] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.676] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0085.677] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0085.677] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0085.677] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.677] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.678] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.678] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.678] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.678] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.678] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.678] CloseHandle (hObject=0x200) returned 1 [0085.678] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.protected") returned 167 [0085.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.protected")) returned 1 [0085.679] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.679] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.679] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.681] lstrlenA (lpString="EMPTY") returned 5 [0085.681] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.681] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.681] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.682] CloseHandle (hObject=0x1fc) returned 1 [0085.682] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.682] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0085.682] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0085.682] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0085.682] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0085.682] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0085.682] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl") returned 143 [0085.682] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0085.682] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0085.682] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*") returned 145 [0085.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.682] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.682] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.682] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.682] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.683] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.683] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\.") returned 145 [0085.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.683] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.683] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.683] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.683] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.683] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.683] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.683] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\..") returned 146 [0085.683] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.683] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.683] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.683] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.683] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.683] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.683] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.683] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.683] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0085.683] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.683] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.683] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.683] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0085.684] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0085.684] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0085.684] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.684] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.685] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.685] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.685] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.685] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.685] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.685] CloseHandle (hObject=0x200) returned 1 [0085.685] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.protected") returned 167 [0085.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.protected")) returned 1 [0085.686] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.686] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.686] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.689] lstrlenA (lpString="EMPTY") returned 5 [0085.689] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.689] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.689] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.690] CloseHandle (hObject=0x1fc) returned 1 [0085.690] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.690] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0085.690] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0085.690] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0085.690] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0085.690] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0085.690] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no") returned 143 [0085.690] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0085.690] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0085.690] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*") returned 145 [0085.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.691] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.691] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.691] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.691] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\.") returned 145 [0085.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.691] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.691] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.691] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.691] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\..") returned 146 [0085.691] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.691] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.691] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.692] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.692] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.692] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.692] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.692] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.692] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0085.692] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.692] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.692] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.692] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.692] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0085.692] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.692] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0085.692] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.692] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0085.692] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.693] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x9f, lpOverlapped=0x0) returned 1 [0085.695] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.695] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x9f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x9f, lpOverlapped=0x0) returned 1 [0085.695] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.695] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.695] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.695] CloseHandle (hObject=0x200) returned 1 [0085.696] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.protected") returned 167 [0085.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.protected")) returned 1 [0085.696] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.696] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.696] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.697] lstrlenA (lpString="EMPTY") returned 5 [0085.697] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.698] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.698] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.698] CloseHandle (hObject=0x1fc) returned 1 [0085.698] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.698] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0085.698] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0085.698] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0085.698] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0085.698] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0085.698] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl") returned 143 [0085.698] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0085.698] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0085.698] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*") returned 145 [0085.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.699] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.699] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.699] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\.") returned 145 [0085.699] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.699] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.699] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.699] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.699] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.699] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.699] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.699] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\..") returned 146 [0085.699] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.699] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.699] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.699] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.699] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.699] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.699] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.699] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0085.699] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.699] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.699] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.699] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0085.700] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0085.700] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0085.700] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.700] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.701] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.701] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.701] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.701] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.701] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.701] CloseHandle (hObject=0x200) returned 1 [0085.701] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.protected") returned 167 [0085.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.protected")) returned 1 [0085.702] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.702] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.702] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.703] lstrlenA (lpString="EMPTY") returned 5 [0085.703] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.704] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.704] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.704] CloseHandle (hObject=0x1fc) returned 1 [0085.704] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.704] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0085.704] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0085.704] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0085.704] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0085.704] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0085.704] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR") returned 146 [0085.704] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0085.704] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0085.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*") returned 148 [0085.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.705] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.705] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.705] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\.") returned 148 [0085.706] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.706] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.706] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.706] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.706] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.706] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.706] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.706] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\..") returned 149 [0085.706] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.706] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.706] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.706] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.706] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.706] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.706] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.706] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0085.706] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.706] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.706] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.706] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0085.707] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0085.707] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0085.707] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.707] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.708] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.708] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.708] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.708] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.708] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.708] CloseHandle (hObject=0x200) returned 1 [0085.708] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json.protected") returned 170 [0085.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0085.709] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.709] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.709] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 176 [0085.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.710] lstrlenA (lpString="EMPTY") returned 5 [0085.710] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.710] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.711] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.711] CloseHandle (hObject=0x1fc) returned 1 [0085.711] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.711] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0085.711] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0085.711] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0085.711] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0085.711] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0085.711] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT") returned 146 [0085.711] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0085.711] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0085.711] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*") returned 148 [0085.711] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.711] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.711] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.712] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.712] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.712] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.712] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\.") returned 148 [0085.712] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.712] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.712] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.712] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.712] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.712] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.712] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.712] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\..") returned 149 [0085.712] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.712] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.712] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.712] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.712] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.712] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.712] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.712] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.712] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0085.712] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.712] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.712] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.712] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0085.713] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0085.713] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0085.713] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.713] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.714] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.714] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.714] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.714] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.714] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.715] CloseHandle (hObject=0x200) returned 1 [0085.715] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json.protected") returned 170 [0085.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0085.716] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.716] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.716] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 176 [0085.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.716] lstrlenA (lpString="EMPTY") returned 5 [0085.716] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.717] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.717] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.717] CloseHandle (hObject=0x1fc) returned 1 [0085.717] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.717] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0085.717] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0085.717] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0085.717] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0085.717] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0085.717] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro") returned 143 [0085.717] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0085.717] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0085.718] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*") returned 145 [0085.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.719] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.719] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.719] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.719] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.719] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.719] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\.") returned 145 [0085.719] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.719] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.719] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.719] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.719] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.719] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.719] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.719] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\..") returned 146 [0085.720] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.720] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.720] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.720] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.720] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.720] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.720] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.720] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0085.720] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.720] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.720] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.720] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.720] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0085.720] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0085.721] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.721] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0085.721] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.721] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.721] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.722] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.722] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.722] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.722] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.722] CloseHandle (hObject=0x200) returned 1 [0085.722] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.protected") returned 167 [0085.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.protected")) returned 1 [0085.723] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.723] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.723] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.723] lstrlenA (lpString="EMPTY") returned 5 [0085.723] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.724] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.724] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.724] CloseHandle (hObject=0x1fc) returned 1 [0085.725] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.725] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0085.725] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0085.725] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0085.725] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0085.725] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0085.725] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru") returned 143 [0085.725] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0085.725] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0085.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*") returned 145 [0085.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.725] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.725] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.725] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.725] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.725] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\.") returned 145 [0085.725] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.725] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.725] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.725] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.725] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.725] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.725] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\..") returned 146 [0085.725] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.726] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.726] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.726] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.726] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.726] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.726] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.726] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.726] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0085.726] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.726] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.726] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.726] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0085.726] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0085.726] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0085.726] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.726] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.727] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.727] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.728] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.728] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.728] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.728] CloseHandle (hObject=0x200) returned 1 [0085.728] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.protected") returned 167 [0085.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.protected")) returned 1 [0085.729] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.729] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.729] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.729] lstrlenA (lpString="EMPTY") returned 5 [0085.729] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.730] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.730] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.730] CloseHandle (hObject=0x1fc) returned 1 [0085.730] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.730] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0085.730] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0085.730] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0085.731] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0085.731] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0085.731] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk") returned 143 [0085.731] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0085.731] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0085.731] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*") returned 145 [0085.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.732] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.732] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.732] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.732] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.732] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.732] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\.") returned 145 [0085.732] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.732] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.732] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.732] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.732] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.732] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.732] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.732] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\..") returned 146 [0085.732] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.732] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.732] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.732] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.732] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.732] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.732] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.732] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0085.732] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.732] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.732] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.732] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0085.733] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0085.733] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.733] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0085.733] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.733] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.734] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.734] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.734] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.734] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.734] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.734] CloseHandle (hObject=0x200) returned 1 [0085.735] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.protected") returned 167 [0085.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.protected")) returned 1 [0085.735] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.735] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.735] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.736] lstrlenA (lpString="EMPTY") returned 5 [0085.736] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.736] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.737] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.737] CloseHandle (hObject=0x1fc) returned 1 [0085.737] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.737] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0085.737] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0085.737] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0085.737] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0085.737] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0085.737] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl") returned 143 [0085.737] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0085.737] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0085.737] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*") returned 145 [0085.737] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.737] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.737] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.737] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.737] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.738] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.738] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\.") returned 145 [0085.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.738] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.738] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.738] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.738] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.738] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.738] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\..") returned 146 [0085.738] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.738] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.738] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.738] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.738] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.738] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.738] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.738] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.738] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0085.738] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.738] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.738] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.738] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0085.739] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0085.739] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0085.739] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.739] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.740] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.740] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.740] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.740] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.740] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.740] CloseHandle (hObject=0x200) returned 1 [0085.740] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.protected") returned 167 [0085.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.protected")) returned 1 [0085.741] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.741] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.741] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.742] lstrlenA (lpString="EMPTY") returned 5 [0085.742] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.742] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.742] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.743] CloseHandle (hObject=0x1fc) returned 1 [0085.743] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.743] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0085.743] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0085.743] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0085.743] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0085.743] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0085.743] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr") returned 143 [0085.743] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0085.743] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0085.743] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*") returned 145 [0085.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\.") returned 145 [0085.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.744] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\..") returned 146 [0085.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.744] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.744] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.744] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.744] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.744] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0085.744] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.745] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.745] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.745] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0085.745] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0085.745] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0085.745] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.745] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.746] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.746] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.746] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.746] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.747] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.747] CloseHandle (hObject=0x200) returned 1 [0085.747] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.protected") returned 167 [0085.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.protected")) returned 1 [0085.747] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.748] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.748] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.748] lstrlenA (lpString="EMPTY") returned 5 [0085.748] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.749] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.749] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.749] CloseHandle (hObject=0x1fc) returned 1 [0085.749] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.749] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0085.749] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0085.749] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0085.749] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0085.749] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0085.749] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv") returned 143 [0085.750] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0085.750] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0085.750] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*") returned 145 [0085.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.750] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.750] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.750] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.750] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.750] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.750] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\.") returned 145 [0085.750] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.750] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.750] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.750] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.750] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.750] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.750] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.750] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\..") returned 146 [0085.750] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.750] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.750] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.750] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.750] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.750] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.750] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.751] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.751] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0085.751] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.751] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.751] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.751] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0085.751] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0085.751] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0085.751] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.751] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.752] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.752] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.752] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.752] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.753] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.753] CloseHandle (hObject=0x200) returned 1 [0085.753] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.protected") returned 167 [0085.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.protected")) returned 1 [0085.753] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.754] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.754] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.754] lstrlenA (lpString="EMPTY") returned 5 [0085.754] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.755] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.755] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.755] CloseHandle (hObject=0x1fc) returned 1 [0085.755] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.755] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0085.755] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0085.755] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0085.755] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0085.755] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0085.755] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th") returned 143 [0085.755] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0085.755] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0085.755] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*") returned 145 [0085.755] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.756] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.756] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.756] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.756] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.756] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.756] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\.") returned 145 [0085.756] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.756] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.756] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.756] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.757] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.757] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.757] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\..") returned 146 [0085.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.757] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.757] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.757] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.757] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.757] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.757] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.757] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0085.757] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.757] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.757] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.757] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0085.757] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.758] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0085.758] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.758] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0085.758] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.758] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.759] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.759] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.759] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.759] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.759] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.759] CloseHandle (hObject=0x200) returned 1 [0085.759] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.protected") returned 167 [0085.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.protected")) returned 1 [0085.760] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.760] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.760] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.760] lstrlenA (lpString="EMPTY") returned 5 [0085.760] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.761] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.761] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.761] CloseHandle (hObject=0x1fc) returned 1 [0085.762] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.762] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0085.762] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0085.762] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0085.762] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0085.762] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0085.762] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr") returned 143 [0085.762] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0085.762] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0085.762] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*") returned 145 [0085.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.762] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.762] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.762] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.762] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.762] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.762] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\.") returned 145 [0085.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.762] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.762] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.762] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.762] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.763] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.763] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\..") returned 146 [0085.763] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.763] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.763] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.763] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.763] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.763] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.763] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.763] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.763] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0085.763] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.763] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.763] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.763] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.763] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.763] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0085.763] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.763] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0085.763] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0085.764] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.764] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.764] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.764] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.765] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.765] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.765] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.765] CloseHandle (hObject=0x200) returned 1 [0085.765] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.protected") returned 167 [0085.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.protected")) returned 1 [0085.766] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.766] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.766] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.766] lstrlenA (lpString="EMPTY") returned 5 [0085.766] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.767] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.767] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.767] CloseHandle (hObject=0x1fc) returned 1 [0085.767] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.767] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0085.767] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0085.767] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0085.767] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0085.767] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0085.767] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk") returned 143 [0085.768] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0085.768] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0085.768] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*") returned 145 [0085.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.768] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.768] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.769] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\.") returned 145 [0085.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.769] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.769] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\..") returned 146 [0085.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.769] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.769] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.769] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.769] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.769] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.769] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.769] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0085.769] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.769] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.769] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.769] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0085.770] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0085.770] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.770] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0085.770] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.770] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.771] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.771] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.771] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.771] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.771] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.771] CloseHandle (hObject=0x200) returned 1 [0085.771] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.protected") returned 167 [0085.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.protected")) returned 1 [0085.772] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.772] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.772] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.772] lstrlenA (lpString="EMPTY") returned 5 [0085.772] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.773] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.773] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.774] CloseHandle (hObject=0x1fc) returned 1 [0085.774] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.774] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0085.774] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0085.774] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0085.774] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0085.774] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0085.774] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi") returned 143 [0085.774] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0085.774] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0085.774] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*") returned 145 [0085.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.774] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.774] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.774] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.774] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.774] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.774] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\.") returned 145 [0085.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.774] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.775] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.775] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.775] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.775] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.775] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.775] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\..") returned 146 [0085.775] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.775] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.775] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.775] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.775] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.775] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.775] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.775] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0085.775] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.775] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.775] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.775] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0085.776] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0085.776] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.776] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0085.776] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.776] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.777] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.777] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.777] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.777] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.777] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.777] CloseHandle (hObject=0x200) returned 1 [0085.777] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.protected") returned 167 [0085.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.protected")) returned 1 [0085.778] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.778] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.778] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0085.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.779] lstrlenA (lpString="EMPTY") returned 5 [0085.779] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.780] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.780] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.780] CloseHandle (hObject=0x1fc) returned 1 [0085.780] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.780] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0085.780] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0085.780] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0085.780] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0085.780] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0085.780] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN") returned 146 [0085.780] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0085.780] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0085.780] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*") returned 148 [0085.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.781] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\.") returned 148 [0085.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.781] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.782] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.782] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.782] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.782] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.782] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.782] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\..") returned 149 [0085.782] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.782] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.782] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.782] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.782] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.782] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.782] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.782] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.782] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0085.782] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.782] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.782] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.782] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0085.782] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.782] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0085.783] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.783] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0085.783] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.783] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.783] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.783] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.784] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.784] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.784] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.784] CloseHandle (hObject=0x200) returned 1 [0085.784] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json.protected") returned 170 [0085.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0085.785] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.785] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.785] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 176 [0085.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.785] lstrlenA (lpString="EMPTY") returned 5 [0085.785] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.786] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.786] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.786] CloseHandle (hObject=0x1fc) returned 1 [0085.786] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.786] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0085.786] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0085.786] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0085.786] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0085.786] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0085.786] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW") returned 146 [0085.786] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0085.786] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0085.786] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*") returned 148 [0085.787] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.787] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.787] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.787] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.787] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.787] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.787] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\.") returned 148 [0085.787] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.787] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.787] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.787] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.787] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.787] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.787] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.787] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\..") returned 149 [0085.787] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.787] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.787] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.787] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.787] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.787] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.787] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.787] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0085.787] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.787] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.787] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.787] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.788] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0085.788] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.788] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0085.788] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.788] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0085.788] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.788] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.789] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.789] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0085.789] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.789] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.789] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.789] CloseHandle (hObject=0x200) returned 1 [0085.790] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json.protected") returned 170 [0085.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0085.790] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.790] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.790] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 176 [0085.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.791] lstrlenA (lpString="EMPTY") returned 5 [0085.791] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.792] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.792] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.792] CloseHandle (hObject=0x1fc) returned 1 [0085.792] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0085.792] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0085.792] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 170 [0085.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.792] lstrlenA (lpString="EMPTY") returned 5 [0085.792] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0085.793] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.793] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0085.793] CloseHandle (hObject=0x1f8) returned 1 [0085.794] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.794] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0085.794] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0085.794] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0085.794] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0085.794] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0085.794] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata") returned 141 [0085.794] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0085.794] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0085.794] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*") returned 143 [0085.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0085.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.794] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.794] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.794] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.794] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\.") returned 143 [0085.794] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.794] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.794] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.794] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.794] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.794] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.794] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.794] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\..") returned 144 [0085.794] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.795] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.795] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.795] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0085.795] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0085.795] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0085.795] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0085.795] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0085.795] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0085.795] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0085.795] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.795] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0085.795] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0085.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0085.795] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0085.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0085.795] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0085.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0085.795] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0085.795] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2769, lpOverlapped=0x0) returned 1 [0085.807] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd897, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.808] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2769, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2769, lpOverlapped=0x0) returned 1 [0085.808] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.808] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0085.808] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0085.808] CloseHandle (hObject=0x1fc) returned 1 [0085.808] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.protected") returned 174 [0085.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.protected")) returned 1 [0085.809] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0085.809] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0085.809] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.810] lstrlenA (lpString="EMPTY") returned 5 [0085.810] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0085.810] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.810] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0085.811] CloseHandle (hObject=0x1f8) returned 1 [0085.811] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0085.811] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0085.812] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 161 [0085.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0085.813] lstrlenA (lpString="EMPTY") returned 5 [0085.813] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0085.813] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.813] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.814] CloseHandle (hObject=0x1f4) returned 1 [0085.814] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0085.814] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0085.814] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0085.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0085.814] lstrlenA (lpString="EMPTY") returned 5 [0085.814] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0085.815] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.815] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0085.815] CloseHandle (hObject=0x1f0) returned 1 [0085.815] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0085.815] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Windows") returned -1 [0085.816] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Program Files") returned -1 [0085.816] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="Program Files (x86)") returned -1 [0085.816] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="$Recycle.bin") returned 1 [0085.816] lstrcmpiW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="System Volume Information") returned -1 [0085.816] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap") returned 123 [0085.816] lstrcmpW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2=".") returned 1 [0085.816] lstrcmpW (lpString1="felcaaldnbdncclmgdcncolpebgiejap", lpString2="..") returned 1 [0085.816] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*") returned 125 [0085.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0085.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.817] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\.") returned 125 [0085.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.817] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0085.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.817] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\..") returned 126 [0085.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.817] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0085.817] lstrcmpiW (lpString1="1.1_0", lpString2="Windows") returned -1 [0085.817] lstrcmpiW (lpString1="1.1_0", lpString2="Program Files") returned -1 [0085.817] lstrcmpiW (lpString1="1.1_0", lpString2="Program Files (x86)") returned -1 [0085.817] lstrcmpiW (lpString1="1.1_0", lpString2="$Recycle.bin") returned 1 [0085.817] lstrcmpiW (lpString1="1.1_0", lpString2="System Volume Information") returned -1 [0085.817] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0") returned 129 [0085.817] lstrcmpW (lpString1="1.1_0", lpString2=".") returned 1 [0085.817] lstrcmpW (lpString1="1.1_0", lpString2="..") returned 1 [0085.817] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*") returned 131 [0085.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0085.838] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.838] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.838] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.838] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.838] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.838] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\.") returned 131 [0085.838] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.838] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.838] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.838] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.838] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.838] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.838] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.838] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\..") returned 132 [0085.838] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.838] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.838] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.838] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0085.838] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0085.838] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0085.838] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0085.838] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0085.839] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0085.839] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0085.839] lstrcmpW (lpString1="icon_128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.839] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.839] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0085.840] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0085.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0085.840] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0085.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0085.840] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0085.840] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xd47, lpOverlapped=0x0) returned 1 [0085.859] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff2b9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.859] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xd47, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xd47, lpOverlapped=0x0) returned 1 [0085.859] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.859] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.860] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.860] CloseHandle (hObject=0x1f8) returned 1 [0085.861] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.protected") returned 152 [0085.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.protected")) returned 1 [0085.862] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.862] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0085.862] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0085.862] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0085.862] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0085.862] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0085.862] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0085.862] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0085.862] lstrcmpW (lpString1="icon_16.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.862] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.862] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0085.863] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0085.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0085.863] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0085.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0085.863] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0085.863] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x9d, lpOverlapped=0x0) returned 1 [0085.864] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffff63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.864] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x9d, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x9d, lpOverlapped=0x0) returned 1 [0085.865] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.865] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.865] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.865] CloseHandle (hObject=0x1f8) returned 1 [0085.866] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.protected") returned 151 [0085.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.protected")) returned 1 [0085.867] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.867] lstrcmpiW (lpString1="main.html", lpString2="Windows") returned -1 [0085.867] lstrcmpiW (lpString1="main.html", lpString2="Program Files") returned -1 [0085.867] lstrcmpiW (lpString1="main.html", lpString2="Program Files (x86)") returned -1 [0085.867] lstrcmpiW (lpString1="main.html", lpString2="$Recycle.bin") returned 1 [0085.867] lstrcmpiW (lpString1="main.html", lpString2="System Volume Information") returned -1 [0085.867] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0085.867] StrStrIW (lpFirst="main.html", lpSrch=".protected") returned 0x0 [0085.867] lstrcmpW (lpString1="main.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.867] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.867] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.868] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0085.868] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0085.868] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0085.868] StrStrW (lpFirst="main.html", lpSrch=".rar") returned 0x0 [0085.868] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0085.868] StrStrW (lpFirst="main.html", lpSrch=".zip") returned 0x0 [0085.868] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5c, lpOverlapped=0x0) returned 1 [0085.869] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.869] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5c, lpOverlapped=0x0) returned 1 [0085.870] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.870] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.870] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.870] CloseHandle (hObject=0x1f8) returned 1 [0085.871] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.protected") returned 149 [0085.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.protected")) returned 1 [0085.872] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.872] lstrcmpiW (lpString1="main.js", lpString2="Windows") returned -1 [0085.872] lstrcmpiW (lpString1="main.js", lpString2="Program Files") returned -1 [0085.872] lstrcmpiW (lpString1="main.js", lpString2="Program Files (x86)") returned -1 [0085.872] lstrcmpiW (lpString1="main.js", lpString2="$Recycle.bin") returned 1 [0085.872] lstrcmpiW (lpString1="main.js", lpString2="System Volume Information") returned -1 [0085.872] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0085.872] StrStrIW (lpFirst="main.js", lpSrch=".protected") returned 0x0 [0085.872] lstrcmpW (lpString1="main.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.872] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.872] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0085.873] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0085.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0085.873] StrStrW (lpFirst="main.js", lpSrch=".rar") returned 0x0 [0085.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0085.873] StrStrW (lpFirst="main.js", lpSrch=".zip") returned 0x0 [0085.873] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5f, lpOverlapped=0x0) returned 1 [0085.874] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.874] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5f, lpOverlapped=0x0) returned 1 [0085.875] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.875] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.875] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.875] CloseHandle (hObject=0x1f8) returned 1 [0085.876] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.protected") returned 147 [0085.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.protected")) returned 1 [0085.877] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.877] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0085.877] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0085.877] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0085.877] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0085.877] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0085.877] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0085.877] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0085.877] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.877] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0085.878] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0085.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0085.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0085.878] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0085.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0085.878] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0085.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0085.878] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0085.878] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2d6, lpOverlapped=0x0) returned 1 [0085.889] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.889] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2d6, lpOverlapped=0x0) returned 1 [0085.890] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.891] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0085.891] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0085.891] CloseHandle (hObject=0x1f8) returned 1 [0085.892] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.protected") returned 153 [0085.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.protected")) returned 1 [0085.894] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0085.894] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0085.894] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0085.894] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0085.894] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0085.894] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0085.894] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales") returned 138 [0085.894] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0085.894] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0085.895] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*") returned 140 [0085.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0085.896] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.896] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.896] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.896] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.896] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.896] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\.") returned 140 [0085.896] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.896] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.897] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.897] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.897] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.897] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.897] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.897] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\..") returned 141 [0085.897] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.897] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.897] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.897] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0085.897] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0085.897] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0085.897] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0085.897] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0085.897] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar") returned 141 [0085.897] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0085.897] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0085.897] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*") returned 143 [0085.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.898] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.898] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.898] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.898] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.898] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\.") returned 143 [0085.898] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.898] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.898] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.898] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.898] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.898] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.898] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\..") returned 144 [0085.898] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.898] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.898] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.898] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.898] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.898] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.898] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.898] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0085.898] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.898] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.898] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.898] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0085.899] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0085.900] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.900] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0085.900] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.900] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0085.901] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.901] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0085.901] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.901] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.901] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.901] CloseHandle (hObject=0x200) returned 1 [0085.901] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.protected") returned 165 [0085.902] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.protected")) returned 1 [0085.903] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.903] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.903] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.903] lstrlenA (lpString="EMPTY") returned 5 [0085.903] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.904] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.904] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.905] CloseHandle (hObject=0x1fc) returned 1 [0085.905] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.905] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0085.905] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0085.905] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0085.905] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0085.905] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0085.905] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg") returned 141 [0085.905] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0085.905] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0085.905] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*") returned 143 [0085.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.905] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.905] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.905] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.905] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.905] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.905] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\.") returned 143 [0085.905] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.905] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.906] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.906] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.906] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.906] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.906] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.906] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\..") returned 144 [0085.906] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.906] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.906] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.906] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.906] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.906] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.906] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.906] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.906] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0085.906] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.906] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.906] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.906] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.907] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0085.907] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.907] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0085.907] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.907] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0085.907] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.907] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x12f, lpOverlapped=0x0) returned 1 [0085.908] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffed1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.908] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x12f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x12f, lpOverlapped=0x0) returned 1 [0085.908] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.908] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.908] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.908] CloseHandle (hObject=0x200) returned 1 [0085.908] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.protected") returned 165 [0085.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.protected")) returned 1 [0085.909] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.909] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.909] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.910] lstrlenA (lpString="EMPTY") returned 5 [0085.910] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.910] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.910] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.911] CloseHandle (hObject=0x1fc) returned 1 [0085.911] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.911] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0085.911] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0085.911] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0085.911] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0085.911] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0085.911] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca") returned 141 [0085.911] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0085.911] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0085.911] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*") returned 143 [0085.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.911] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.911] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.911] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.911] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\.") returned 143 [0085.911] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.912] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.912] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\..") returned 144 [0085.912] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.912] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.912] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.912] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.912] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.912] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.912] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.912] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0085.912] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.912] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.912] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.912] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0085.913] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0085.913] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.913] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0085.913] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.913] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0085.915] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.915] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0085.915] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.915] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.915] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.915] CloseHandle (hObject=0x200) returned 1 [0085.915] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.protected") returned 165 [0085.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.protected")) returned 1 [0085.916] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.916] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.916] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.917] lstrlenA (lpString="EMPTY") returned 5 [0085.917] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.917] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.918] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.918] CloseHandle (hObject=0x1fc) returned 1 [0085.918] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.918] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0085.918] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0085.918] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0085.918] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0085.918] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0085.918] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs") returned 141 [0085.918] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0085.918] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0085.918] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*") returned 143 [0085.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.918] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.918] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.918] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.919] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.919] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.919] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\.") returned 143 [0085.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.919] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.919] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.919] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.919] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.919] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.919] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.919] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\..") returned 144 [0085.919] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.919] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.919] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.919] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.919] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.919] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.919] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.919] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0085.919] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.919] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.919] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.919] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0085.920] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0085.920] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.920] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0085.920] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.920] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0085.921] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.921] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xda, lpOverlapped=0x0) returned 1 [0085.921] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.921] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.921] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.921] CloseHandle (hObject=0x200) returned 1 [0085.921] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.protected") returned 165 [0085.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.protected")) returned 1 [0085.922] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.922] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.922] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.923] lstrlenA (lpString="EMPTY") returned 5 [0085.923] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.924] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.924] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.924] CloseHandle (hObject=0x1fc) returned 1 [0085.924] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.924] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0085.924] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0085.924] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0085.924] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0085.924] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0085.924] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da") returned 141 [0085.924] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0085.924] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0085.924] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*") returned 143 [0085.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.925] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.925] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.925] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.925] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.925] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.925] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\.") returned 143 [0085.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.925] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.925] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.925] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.925] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.925] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.925] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.925] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\..") returned 144 [0085.925] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.925] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.925] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.925] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.925] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.925] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.925] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.925] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.925] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0085.925] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.925] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.925] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.925] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0085.927] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0085.927] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0085.927] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.927] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0085.928] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.928] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0085.928] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.928] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.928] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.928] CloseHandle (hObject=0x200) returned 1 [0085.928] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.protected") returned 165 [0085.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.protected")) returned 1 [0085.929] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.929] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.929] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.930] lstrlenA (lpString="EMPTY") returned 5 [0085.930] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.931] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.931] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.931] CloseHandle (hObject=0x1fc) returned 1 [0085.931] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.931] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0085.931] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0085.931] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0085.931] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0085.931] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0085.931] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de") returned 141 [0085.931] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0085.931] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0085.931] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*") returned 143 [0085.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.931] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.931] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.932] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.932] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.932] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.932] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\.") returned 143 [0085.932] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.932] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.932] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.932] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.932] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.932] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.932] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.932] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\..") returned 144 [0085.932] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.932] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.932] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.932] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.932] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.932] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.932] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.932] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.932] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0085.932] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.932] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.932] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.932] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.933] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0085.933] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.933] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0085.933] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.933] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0085.933] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.933] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdc, lpOverlapped=0x0) returned 1 [0085.939] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.939] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdc, lpOverlapped=0x0) returned 1 [0085.939] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.940] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.940] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.940] CloseHandle (hObject=0x200) returned 1 [0085.940] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.protected") returned 165 [0085.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.protected")) returned 1 [0085.941] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.941] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.941] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.942] lstrlenA (lpString="EMPTY") returned 5 [0085.942] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.943] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.943] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.943] CloseHandle (hObject=0x1fc) returned 1 [0085.943] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.943] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0085.943] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0085.943] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0085.943] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0085.943] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0085.943] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el") returned 141 [0085.943] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0085.943] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0085.943] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*") returned 143 [0085.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.944] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.944] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.944] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.944] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.944] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.944] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\.") returned 143 [0085.944] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.944] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.944] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.944] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.944] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.944] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.944] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.944] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\..") returned 144 [0085.944] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.944] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.944] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.944] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.944] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.944] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.944] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.944] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.944] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0085.944] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.944] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.945] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.945] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0085.946] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0085.946] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0085.946] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.947] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x130, lpOverlapped=0x0) returned 1 [0085.948] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.948] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x130, lpOverlapped=0x0) returned 1 [0085.948] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.948] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.948] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.948] CloseHandle (hObject=0x200) returned 1 [0085.948] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.protected") returned 165 [0085.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.protected")) returned 1 [0085.949] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.949] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.949] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.950] lstrlenA (lpString="EMPTY") returned 5 [0085.950] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.951] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.951] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.951] CloseHandle (hObject=0x1fc) returned 1 [0085.951] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.951] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0085.951] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0085.951] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0085.951] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0085.951] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0085.951] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB") returned 144 [0085.951] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0085.951] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0085.951] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*") returned 146 [0085.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.952] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.952] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.952] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.952] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.952] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.952] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\.") returned 146 [0085.952] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.952] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.952] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.952] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.952] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.952] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.952] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.952] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\..") returned 147 [0085.952] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.952] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.952] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.952] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.952] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.952] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.952] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.952] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.952] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0085.953] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.953] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.953] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.953] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0085.953] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0085.953] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0085.953] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.953] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0085.955] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.955] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0085.955] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.955] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.955] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.955] CloseHandle (hObject=0x200) returned 1 [0085.955] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0085.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0085.956] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.956] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.956] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0085.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.957] lstrlenA (lpString="EMPTY") returned 5 [0085.957] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.957] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.957] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.958] CloseHandle (hObject=0x1fc) returned 1 [0085.958] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.958] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0085.958] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0085.958] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0085.958] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0085.958] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0085.958] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US") returned 144 [0085.958] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0085.958] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0085.958] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*") returned 146 [0085.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.959] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\.") returned 146 [0085.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.959] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.959] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\..") returned 147 [0085.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.959] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.959] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.959] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.959] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.959] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.959] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.959] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0085.959] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.959] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.959] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.959] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0085.961] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0085.961] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0085.961] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.961] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0085.962] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.962] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0085.962] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.962] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.962] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.962] CloseHandle (hObject=0x200) returned 1 [0085.962] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json.protected") returned 168 [0085.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0085.963] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.963] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.963] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0085.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.964] lstrlenA (lpString="EMPTY") returned 5 [0085.964] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.965] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.965] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.965] CloseHandle (hObject=0x1fc) returned 1 [0085.965] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.965] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0085.965] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0085.965] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0085.965] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0085.965] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0085.965] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es") returned 141 [0085.965] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0085.965] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0085.965] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*") returned 143 [0085.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.966] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.966] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.966] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.966] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.966] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.966] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\.") returned 143 [0085.966] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.966] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.966] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.966] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.966] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.966] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.966] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.966] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\..") returned 144 [0085.966] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.966] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.966] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.966] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.966] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.966] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.966] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.966] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.966] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0085.966] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.966] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.966] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.966] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.967] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0085.967] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.967] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0085.967] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.967] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0085.967] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.967] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0085.968] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.968] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0085.968] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.968] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.968] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.968] CloseHandle (hObject=0x200) returned 1 [0085.969] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.protected") returned 165 [0085.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.protected")) returned 1 [0085.969] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.969] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.969] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.970] lstrlenA (lpString="EMPTY") returned 5 [0085.970] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.971] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.971] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.971] CloseHandle (hObject=0x1fc) returned 1 [0085.971] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.971] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0085.971] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0085.971] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0085.971] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0085.971] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0085.971] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419") returned 145 [0085.971] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0085.971] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0085.971] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*") returned 147 [0085.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.972] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.972] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.972] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.972] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.972] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.972] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\.") returned 147 [0085.972] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.972] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.972] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.972] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.972] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.972] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.972] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.972] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\..") returned 148 [0085.972] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.972] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.972] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.972] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.972] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.972] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.972] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.972] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.972] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0085.972] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.972] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.973] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.973] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.975] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0085.975] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.975] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0085.975] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.975] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0085.975] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.975] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0085.976] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.976] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0085.976] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.976] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.976] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.976] CloseHandle (hObject=0x200) returned 1 [0085.977] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.protected") returned 169 [0085.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0085.977] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.977] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.977] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0085.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.978] lstrlenA (lpString="EMPTY") returned 5 [0085.978] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.979] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.979] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.979] CloseHandle (hObject=0x1fc) returned 1 [0085.979] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.979] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0085.979] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0085.979] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0085.979] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0085.979] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0085.979] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et") returned 141 [0085.979] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0085.979] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0085.979] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*") returned 143 [0085.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.980] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.980] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.980] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.980] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.980] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.980] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\.") returned 143 [0085.980] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.980] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.980] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\..") returned 144 [0085.980] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.980] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.980] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.980] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.980] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.980] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.980] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.980] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.980] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0085.980] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.980] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.980] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.981] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0085.981] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0085.981] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0085.981] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.981] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0085.982] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.982] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0085.982] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.982] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.983] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.983] CloseHandle (hObject=0x200) returned 1 [0085.983] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.protected") returned 165 [0085.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.protected")) returned 1 [0085.984] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.984] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.984] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.984] lstrlenA (lpString="EMPTY") returned 5 [0085.984] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.985] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.985] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.986] CloseHandle (hObject=0x1fc) returned 1 [0085.986] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.986] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0085.986] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0085.986] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0085.986] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0085.986] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0085.986] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi") returned 141 [0085.986] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0085.986] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0085.986] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*") returned 143 [0085.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.986] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.986] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.986] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.986] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.987] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.987] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\.") returned 143 [0085.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.987] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.987] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.987] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.987] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.987] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.987] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.987] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\..") returned 144 [0085.987] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.987] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.987] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.987] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.987] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.987] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.987] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.987] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.987] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0085.987] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.987] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.987] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.987] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0085.989] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0085.989] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0085.989] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.989] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdc, lpOverlapped=0x0) returned 1 [0085.990] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.990] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdc, lpOverlapped=0x0) returned 1 [0085.990] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.990] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.990] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.990] CloseHandle (hObject=0x200) returned 1 [0085.991] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.protected") returned 165 [0085.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.protected")) returned 1 [0085.991] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.992] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.992] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0085.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.992] lstrlenA (lpString="EMPTY") returned 5 [0085.992] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.993] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.993] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.993] CloseHandle (hObject=0x1fc) returned 1 [0085.993] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0085.993] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0085.993] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0085.993] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0085.993] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0085.993] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0085.993] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil") returned 142 [0085.993] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0085.993] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0085.994] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*") returned 144 [0085.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0085.994] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.994] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0085.994] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0085.994] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.994] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.994] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\.") returned 144 [0085.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.994] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.994] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.994] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0085.994] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0085.994] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.994] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.994] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\..") returned 145 [0085.994] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.994] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.994] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0085.994] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0085.994] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0085.994] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0085.995] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0085.995] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0085.995] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0085.995] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0085.995] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0085.995] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0085.995] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0085.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0085.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0085.995] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0085.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0085.995] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0085.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0085.995] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0085.996] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0085.996] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.996] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0085.997] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.997] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0085.997] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0085.997] CloseHandle (hObject=0x200) returned 1 [0085.997] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.protected") returned 166 [0085.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.protected")) returned 1 [0085.998] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0085.998] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0085.998] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0085.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0085.998] lstrlenA (lpString="EMPTY") returned 5 [0085.998] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0085.999] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0085.999] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0085.999] CloseHandle (hObject=0x1fc) returned 1 [0086.000] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.000] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0086.000] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0086.000] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0086.000] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0086.000] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0086.000] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr") returned 141 [0086.000] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0086.000] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0086.000] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*") returned 143 [0086.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.000] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.000] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.000] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.000] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.000] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.000] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\.") returned 143 [0086.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.000] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.000] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.001] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.001] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.001] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.001] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\..") returned 144 [0086.001] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.001] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.001] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.001] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.001] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.001] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.001] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.001] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0086.001] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.001] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.001] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.001] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.002] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0086.002] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.002] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0086.002] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.002] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0086.002] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.002] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0086.004] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.004] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0086.004] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.004] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.004] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.004] CloseHandle (hObject=0x200) returned 1 [0086.004] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.protected") returned 165 [0086.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.protected")) returned 1 [0086.005] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.005] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.005] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.006] lstrlenA (lpString="EMPTY") returned 5 [0086.006] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.007] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.007] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.007] CloseHandle (hObject=0x1fc) returned 1 [0086.007] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.008] lstrcmpiW (lpString1="he", lpString2="Windows") returned -1 [0086.008] lstrcmpiW (lpString1="he", lpString2="Program Files") returned -1 [0086.008] lstrcmpiW (lpString1="he", lpString2="Program Files (x86)") returned -1 [0086.008] lstrcmpiW (lpString1="he", lpString2="$Recycle.bin") returned 1 [0086.008] lstrcmpiW (lpString1="he", lpString2="System Volume Information") returned -1 [0086.008] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he") returned 141 [0086.008] lstrcmpW (lpString1="he", lpString2=".") returned 1 [0086.008] lstrcmpW (lpString1="he", lpString2="..") returned 1 [0086.008] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*") returned 143 [0086.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.008] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.008] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.008] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.008] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\.") returned 143 [0086.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.008] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.008] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.008] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.008] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.008] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.008] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.008] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\..") returned 144 [0086.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.009] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.009] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.009] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.009] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.009] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.009] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.009] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0086.009] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.009] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.009] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.009] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0086.009] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0086.009] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.009] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0086.010] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.010] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xee, lpOverlapped=0x0) returned 1 [0086.010] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.011] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xee, lpOverlapped=0x0) returned 1 [0086.011] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.011] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.011] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.011] CloseHandle (hObject=0x200) returned 1 [0086.011] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.protected") returned 165 [0086.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.protected")) returned 1 [0086.012] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.012] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.012] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.012] lstrlenA (lpString="EMPTY") returned 5 [0086.013] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.013] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.013] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.014] CloseHandle (hObject=0x1fc) returned 1 [0086.014] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.014] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0086.014] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0086.014] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0086.014] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0086.014] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0086.014] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi") returned 141 [0086.014] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0086.014] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0086.014] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*") returned 143 [0086.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.014] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.014] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.014] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.014] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.014] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.014] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\.") returned 143 [0086.014] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.014] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.015] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.015] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.015] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\..") returned 144 [0086.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.015] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.015] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.015] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.015] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.015] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.015] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.015] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0086.015] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.015] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.015] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.015] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0086.016] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0086.016] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0086.016] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.016] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x11a, lpOverlapped=0x0) returned 1 [0086.017] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.017] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x11a, lpOverlapped=0x0) returned 1 [0086.018] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.018] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.018] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.018] CloseHandle (hObject=0x200) returned 1 [0086.018] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.protected") returned 165 [0086.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.protected")) returned 1 [0086.019] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.019] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.019] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.019] lstrlenA (lpString="EMPTY") returned 5 [0086.019] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.020] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.020] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.020] CloseHandle (hObject=0x1fc) returned 1 [0086.020] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.020] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0086.020] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0086.020] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0086.021] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0086.021] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0086.021] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu") returned 141 [0086.021] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0086.021] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0086.021] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*") returned 143 [0086.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.021] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.021] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.021] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.021] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.021] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.021] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\.") returned 143 [0086.021] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.021] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.021] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.021] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.021] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.021] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.021] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.021] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\..") returned 144 [0086.021] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.021] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.021] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.021] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.021] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.021] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.022] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.022] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.022] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0086.022] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.022] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.022] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.022] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0086.022] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0086.022] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0086.022] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.022] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xeb, lpOverlapped=0x0) returned 1 [0086.023] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.023] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xeb, lpOverlapped=0x0) returned 1 [0086.023] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.024] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.024] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.024] CloseHandle (hObject=0x200) returned 1 [0086.024] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.protected") returned 165 [0086.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.protected")) returned 1 [0086.025] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.025] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.025] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.025] lstrlenA (lpString="EMPTY") returned 5 [0086.025] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.026] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.026] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.026] CloseHandle (hObject=0x1fc) returned 1 [0086.026] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.026] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0086.026] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0086.026] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0086.026] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0086.027] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0086.027] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id") returned 141 [0086.027] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0086.027] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0086.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*") returned 143 [0086.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.027] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.027] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.027] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.027] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.027] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\.") returned 143 [0086.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.027] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.027] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.027] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.027] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.027] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.027] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.028] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\..") returned 144 [0086.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.028] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.028] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.028] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.028] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.028] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.028] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.028] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0086.028] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.028] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.028] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.028] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0086.029] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0086.029] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0086.029] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.029] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0086.030] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.031] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0086.031] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.031] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.031] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.031] CloseHandle (hObject=0x200) returned 1 [0086.031] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.protected") returned 165 [0086.031] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.protected")) returned 1 [0086.032] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.032] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.032] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.033] lstrlenA (lpString="EMPTY") returned 5 [0086.033] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.033] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.033] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.034] CloseHandle (hObject=0x1fc) returned 1 [0086.034] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.034] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0086.034] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0086.034] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0086.034] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0086.034] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0086.034] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it") returned 141 [0086.034] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0086.034] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0086.034] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*") returned 143 [0086.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.034] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.034] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.034] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.034] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\.") returned 143 [0086.034] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.034] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.035] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.035] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.035] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.035] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.035] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.035] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\..") returned 144 [0086.035] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.035] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.035] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.035] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.035] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.035] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.035] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.035] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.035] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0086.035] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.035] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.035] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.035] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0086.036] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0086.036] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0086.036] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.036] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0086.037] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.037] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0086.037] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.037] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.037] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.037] CloseHandle (hObject=0x200) returned 1 [0086.037] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.protected") returned 165 [0086.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.protected")) returned 1 [0086.038] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.038] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.038] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.039] lstrlenA (lpString="EMPTY") returned 5 [0086.039] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.040] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.040] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.040] CloseHandle (hObject=0x1fc) returned 1 [0086.040] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.040] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0086.040] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0086.040] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0086.040] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0086.040] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0086.040] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja") returned 141 [0086.040] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0086.040] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0086.040] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*") returned 143 [0086.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.041] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.041] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.041] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.041] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.041] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.041] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\.") returned 143 [0086.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.041] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.041] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.041] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.041] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.041] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.041] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.041] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\..") returned 144 [0086.041] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.041] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.041] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.041] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.041] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.041] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.041] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.041] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0086.041] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.041] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.041] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.041] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0086.043] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0086.043] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0086.043] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.043] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf5, lpOverlapped=0x0) returned 1 [0086.044] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.044] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf5, lpOverlapped=0x0) returned 1 [0086.044] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.044] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.044] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.044] CloseHandle (hObject=0x200) returned 1 [0086.044] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.protected") returned 165 [0086.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.protected")) returned 1 [0086.045] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.045] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.045] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.046] lstrlenA (lpString="EMPTY") returned 5 [0086.046] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.047] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.047] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.047] CloseHandle (hObject=0x1fc) returned 1 [0086.047] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.047] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0086.047] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0086.047] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0086.047] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0086.047] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0086.047] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko") returned 141 [0086.047] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0086.047] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0086.047] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*") returned 143 [0086.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\.") returned 143 [0086.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.048] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.048] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.048] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.048] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.048] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\..") returned 144 [0086.048] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.048] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.048] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.048] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.048] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.048] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.048] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.048] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0086.048] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.049] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.049] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.049] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0086.049] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0086.049] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0086.049] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.049] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0086.050] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.050] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe0, lpOverlapped=0x0) returned 1 [0086.050] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.050] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.051] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.051] CloseHandle (hObject=0x200) returned 1 [0086.051] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.protected") returned 165 [0086.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.protected")) returned 1 [0086.053] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.053] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.053] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.054] lstrlenA (lpString="EMPTY") returned 5 [0086.054] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.055] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.055] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.055] CloseHandle (hObject=0x1fc) returned 1 [0086.055] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.055] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0086.055] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0086.055] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0086.055] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0086.055] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0086.055] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt") returned 141 [0086.055] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0086.055] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0086.055] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*") returned 143 [0086.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.056] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\.") returned 143 [0086.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.056] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.056] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.056] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.056] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.056] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.056] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.056] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\..") returned 144 [0086.056] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.056] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.056] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.056] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.056] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.056] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.056] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.056] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.056] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0086.056] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.056] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.056] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.056] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0086.058] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0086.058] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0086.058] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.058] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xeb, lpOverlapped=0x0) returned 1 [0086.059] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.059] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xeb, lpOverlapped=0x0) returned 1 [0086.059] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.059] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.059] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.059] CloseHandle (hObject=0x200) returned 1 [0086.059] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.protected") returned 165 [0086.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.protected")) returned 1 [0086.060] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.060] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.060] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.061] lstrlenA (lpString="EMPTY") returned 5 [0086.061] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.062] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.062] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.062] CloseHandle (hObject=0x1fc) returned 1 [0086.062] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.062] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0086.062] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0086.062] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0086.062] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0086.062] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0086.062] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv") returned 141 [0086.062] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0086.062] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0086.062] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*") returned 143 [0086.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.063] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.063] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.063] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.063] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.063] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.063] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\.") returned 143 [0086.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.063] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.063] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.063] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.063] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.063] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.063] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.063] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\..") returned 144 [0086.063] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.063] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.063] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.063] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.063] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.063] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.063] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.063] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.063] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0086.064] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.064] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.064] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.064] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0086.064] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0086.064] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0086.064] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.064] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0086.065] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.065] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe5, lpOverlapped=0x0) returned 1 [0086.065] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.066] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.066] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.066] CloseHandle (hObject=0x200) returned 1 [0086.066] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.protected") returned 165 [0086.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.protected")) returned 1 [0086.067] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.067] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.067] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.067] lstrlenA (lpString="EMPTY") returned 5 [0086.067] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.068] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.068] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.068] CloseHandle (hObject=0x1fc) returned 1 [0086.069] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.069] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0086.069] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0086.069] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0086.069] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0086.069] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0086.069] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms") returned 141 [0086.069] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0086.069] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0086.069] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*") returned 143 [0086.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.069] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.069] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.069] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\.") returned 143 [0086.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.069] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.069] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.070] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\..") returned 144 [0086.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.070] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.070] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.070] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.070] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.070] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.070] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.070] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0086.070] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.070] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.070] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.070] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0086.071] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0086.071] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0086.071] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.071] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0086.072] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.072] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd0, lpOverlapped=0x0) returned 1 [0086.072] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.072] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.073] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.073] CloseHandle (hObject=0x200) returned 1 [0086.073] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.protected") returned 165 [0086.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.protected")) returned 1 [0086.074] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.074] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.074] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.074] lstrlenA (lpString="EMPTY") returned 5 [0086.074] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.075] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.075] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.075] CloseHandle (hObject=0x1fc) returned 1 [0086.075] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.075] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0086.075] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0086.075] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0086.075] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0086.075] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0086.076] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl") returned 141 [0086.076] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0086.076] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0086.076] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*") returned 143 [0086.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.076] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\.") returned 143 [0086.076] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.076] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.076] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\..") returned 144 [0086.076] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.076] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.076] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.076] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.076] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.077] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.077] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.077] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0086.077] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.077] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.077] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.077] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.077] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0086.077] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.077] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0086.077] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.077] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0086.077] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.077] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0086.078] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.078] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0086.078] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.079] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.079] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.079] CloseHandle (hObject=0x200) returned 1 [0086.079] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.protected") returned 165 [0086.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.protected")) returned 1 [0086.080] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.080] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.080] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.080] lstrlenA (lpString="EMPTY") returned 5 [0086.080] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.082] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.082] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.082] CloseHandle (hObject=0x1fc) returned 1 [0086.082] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.082] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0086.082] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0086.082] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0086.082] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0086.082] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0086.082] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no") returned 141 [0086.082] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0086.082] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0086.082] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*") returned 143 [0086.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.083] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.083] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.083] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.083] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.083] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.083] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\.") returned 143 [0086.083] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.083] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.083] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.083] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.083] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.083] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.083] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.083] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\..") returned 144 [0086.083] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.083] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.083] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.083] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.083] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.083] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.083] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.083] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.083] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0086.083] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.083] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.083] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.083] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0086.085] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0086.085] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0086.085] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.085] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xbf, lpOverlapped=0x0) returned 1 [0086.086] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.086] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xbf, lpOverlapped=0x0) returned 1 [0086.086] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.086] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.086] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.087] CloseHandle (hObject=0x200) returned 1 [0086.087] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.protected") returned 165 [0086.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.protected")) returned 1 [0086.087] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.088] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.088] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.088] lstrlenA (lpString="EMPTY") returned 5 [0086.088] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.089] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.089] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.090] CloseHandle (hObject=0x1fc) returned 1 [0086.090] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.090] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0086.090] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0086.090] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0086.090] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0086.090] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0086.090] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl") returned 141 [0086.090] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0086.090] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0086.090] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*") returned 143 [0086.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.090] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.090] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.090] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.090] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.090] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.090] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\.") returned 143 [0086.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.091] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.091] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\..") returned 144 [0086.091] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.091] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.091] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.091] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.091] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.091] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.091] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.091] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0086.091] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.091] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.091] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.091] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0086.092] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0086.092] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0086.092] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.092] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0086.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.093] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd1, lpOverlapped=0x0) returned 1 [0086.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.093] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.093] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.093] CloseHandle (hObject=0x200) returned 1 [0086.093] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.protected") returned 165 [0086.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.protected")) returned 1 [0086.094] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.094] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.094] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.095] lstrlenA (lpString="EMPTY") returned 5 [0086.095] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.096] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.096] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.096] CloseHandle (hObject=0x1fc) returned 1 [0086.096] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.096] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0086.096] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0086.096] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0086.096] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0086.096] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0086.096] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR") returned 144 [0086.096] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0086.096] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0086.096] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*") returned 146 [0086.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\.") returned 146 [0086.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.097] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\..") returned 147 [0086.097] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.097] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.097] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.097] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.097] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.097] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.097] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0086.097] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.097] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.097] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.097] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0086.099] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0086.099] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0086.099] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.099] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0086.100] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.100] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0086.100] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.100] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.100] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.100] CloseHandle (hObject=0x200) returned 1 [0086.100] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0086.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0086.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.101] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.102] lstrlenA (lpString="EMPTY") returned 5 [0086.102] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.103] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.103] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.103] CloseHandle (hObject=0x1fc) returned 1 [0086.103] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.103] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0086.103] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0086.103] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0086.103] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0086.103] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0086.103] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT") returned 144 [0086.103] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0086.103] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0086.103] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*") returned 146 [0086.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.104] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.104] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.104] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.104] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.104] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\.") returned 146 [0086.104] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.104] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.104] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.104] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.104] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.104] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\..") returned 147 [0086.104] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.104] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.104] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.104] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.105] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0086.105] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.105] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.105] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.105] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0086.105] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0086.105] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0086.105] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.105] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0086.106] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.106] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0086.107] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.107] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.107] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.107] CloseHandle (hObject=0x200) returned 1 [0086.107] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0086.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0086.108] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.108] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.108] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.109] lstrlenA (lpString="EMPTY") returned 5 [0086.109] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.110] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.110] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.110] CloseHandle (hObject=0x1fc) returned 1 [0086.110] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.110] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0086.110] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0086.110] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0086.110] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0086.110] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0086.110] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro") returned 141 [0086.110] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0086.110] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0086.110] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*") returned 143 [0086.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.111] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\.") returned 143 [0086.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.111] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.111] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.111] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\..") returned 144 [0086.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.111] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.111] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.111] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.111] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.111] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0086.111] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.111] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.111] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.111] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0086.113] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0086.113] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0086.113] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.113] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0086.114] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.114] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0086.114] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.114] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.114] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.114] CloseHandle (hObject=0x200) returned 1 [0086.115] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.protected") returned 165 [0086.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.protected")) returned 1 [0086.115] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.115] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.116] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.116] lstrlenA (lpString="EMPTY") returned 5 [0086.116] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.117] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.117] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.117] CloseHandle (hObject=0x1fc) returned 1 [0086.117] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.117] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0086.117] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0086.117] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0086.117] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0086.118] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0086.118] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru") returned 141 [0086.118] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0086.118] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0086.118] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*") returned 143 [0086.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.118] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.118] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.118] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.118] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.118] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.118] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\.") returned 143 [0086.118] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.118] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.118] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.118] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.118] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.118] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.118] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.118] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\..") returned 144 [0086.118] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.118] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.119] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.119] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.119] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.119] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.119] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.119] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.119] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0086.119] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.119] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.119] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.119] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0086.119] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0086.119] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0086.120] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.120] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0086.121] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.121] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0086.121] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.121] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.121] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.121] CloseHandle (hObject=0x200) returned 1 [0086.121] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.protected") returned 165 [0086.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.protected")) returned 1 [0086.122] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.122] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.122] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.123] lstrlenA (lpString="EMPTY") returned 5 [0086.123] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.123] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.123] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.124] CloseHandle (hObject=0x1fc) returned 1 [0086.124] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.124] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0086.124] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0086.124] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0086.124] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0086.124] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0086.124] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk") returned 141 [0086.124] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0086.124] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0086.124] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*") returned 143 [0086.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.124] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.124] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.124] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.125] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.125] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.125] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\.") returned 143 [0086.125] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.125] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.125] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.125] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.125] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.125] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.125] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.125] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\..") returned 144 [0086.125] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.125] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.125] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.125] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.125] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.125] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.125] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.125] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.125] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0086.125] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.125] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.125] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.125] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.126] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0086.126] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.127] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0086.127] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.127] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0086.127] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.127] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdb, lpOverlapped=0x0) returned 1 [0086.128] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.128] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdb, lpOverlapped=0x0) returned 1 [0086.128] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.128] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.128] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.128] CloseHandle (hObject=0x200) returned 1 [0086.128] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.protected") returned 165 [0086.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.protected")) returned 1 [0086.129] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.129] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.129] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.130] lstrlenA (lpString="EMPTY") returned 5 [0086.130] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.131] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.131] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.131] CloseHandle (hObject=0x1fc) returned 1 [0086.131] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.131] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0086.131] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0086.131] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0086.131] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0086.131] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0086.131] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl") returned 141 [0086.131] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0086.131] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0086.131] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*") returned 143 [0086.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.132] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.132] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.132] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.132] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.132] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.132] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\.") returned 143 [0086.132] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.132] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.132] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.132] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.132] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.132] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.132] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.132] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\..") returned 144 [0086.132] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.132] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.132] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.132] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.132] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.132] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.132] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.132] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.132] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0086.132] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.132] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.132] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.132] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.133] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0086.133] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.133] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0086.133] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.133] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0086.133] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.133] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0086.134] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.134] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0086.134] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.134] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.134] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.135] CloseHandle (hObject=0x200) returned 1 [0086.135] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.protected") returned 165 [0086.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.protected")) returned 1 [0086.135] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.135] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.136] lstrlenA (lpString="EMPTY") returned 5 [0086.136] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.137] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.137] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.138] CloseHandle (hObject=0x1fc) returned 1 [0086.138] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.138] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0086.138] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0086.138] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0086.138] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0086.138] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0086.138] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr") returned 141 [0086.138] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0086.138] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0086.138] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*") returned 143 [0086.138] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.138] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.138] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.138] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.138] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.138] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.139] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\.") returned 143 [0086.139] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.139] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.139] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.139] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.139] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.139] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.139] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.139] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\..") returned 144 [0086.139] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.139] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.139] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.139] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.139] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.139] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.139] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.139] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.139] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0086.139] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.139] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.139] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.139] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0086.141] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0086.141] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0086.141] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.141] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xec, lpOverlapped=0x0) returned 1 [0086.142] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.142] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xec, lpOverlapped=0x0) returned 1 [0086.142] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.142] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.142] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.142] CloseHandle (hObject=0x200) returned 1 [0086.142] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.protected") returned 165 [0086.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.protected")) returned 1 [0086.143] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.143] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.143] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.144] lstrlenA (lpString="EMPTY") returned 5 [0086.144] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.144] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.144] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.145] CloseHandle (hObject=0x1fc) returned 1 [0086.145] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.145] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0086.145] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0086.145] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0086.145] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0086.145] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0086.145] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv") returned 141 [0086.145] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0086.145] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0086.145] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*") returned 143 [0086.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.145] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.145] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.145] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\.") returned 143 [0086.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.145] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.145] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.145] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.145] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.145] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.145] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.145] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\..") returned 144 [0086.145] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.145] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.145] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.145] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.146] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.146] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.146] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.146] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0086.146] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.146] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.146] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.146] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0086.146] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0086.146] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0086.146] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.146] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0086.147] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.147] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd8, lpOverlapped=0x0) returned 1 [0086.147] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.147] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.147] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.147] CloseHandle (hObject=0x200) returned 1 [0086.147] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.protected") returned 165 [0086.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.protected")) returned 1 [0086.148] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.148] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.148] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.148] lstrlenA (lpString="EMPTY") returned 5 [0086.148] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.149] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.149] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.149] CloseHandle (hObject=0x1fc) returned 1 [0086.149] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.149] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0086.149] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0086.149] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0086.149] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0086.149] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0086.149] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th") returned 141 [0086.149] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0086.149] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0086.149] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*") returned 143 [0086.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.150] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.150] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.150] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.150] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.150] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.150] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\.") returned 143 [0086.150] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.150] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.150] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.150] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.150] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.150] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.150] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.150] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\..") returned 144 [0086.150] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.150] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.150] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.150] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.150] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.150] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.150] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.150] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.150] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0086.150] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.150] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.150] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.150] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0086.151] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0086.151] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0086.151] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.151] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10a, lpOverlapped=0x0) returned 1 [0086.152] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.152] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10a, lpOverlapped=0x0) returned 1 [0086.152] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.152] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.152] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.152] CloseHandle (hObject=0x200) returned 1 [0086.152] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.protected") returned 165 [0086.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.protected")) returned 1 [0086.153] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.153] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.153] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.154] lstrlenA (lpString="EMPTY") returned 5 [0086.154] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.154] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.154] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.154] CloseHandle (hObject=0x1fc) returned 1 [0086.154] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.154] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0086.155] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0086.155] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0086.155] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0086.155] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0086.155] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr") returned 141 [0086.155] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0086.155] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0086.155] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*") returned 143 [0086.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.155] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.155] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\.") returned 143 [0086.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.155] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.155] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.155] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.155] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.155] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.155] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.155] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\..") returned 144 [0086.155] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.155] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.155] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.155] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.155] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.155] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.155] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0086.155] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.155] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.155] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.156] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0086.156] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0086.156] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0086.156] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.156] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe1, lpOverlapped=0x0) returned 1 [0086.157] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.157] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe1, lpOverlapped=0x0) returned 1 [0086.157] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.157] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.157] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.157] CloseHandle (hObject=0x200) returned 1 [0086.157] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.protected") returned 165 [0086.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.protected")) returned 1 [0086.158] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.158] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.158] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.158] lstrlenA (lpString="EMPTY") returned 5 [0086.158] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.159] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.159] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.159] CloseHandle (hObject=0x1fc) returned 1 [0086.159] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.159] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0086.159] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0086.159] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0086.159] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0086.159] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0086.159] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk") returned 141 [0086.159] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0086.159] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0086.159] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*") returned 143 [0086.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.160] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.160] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.160] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.160] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.160] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\.") returned 143 [0086.160] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.160] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.160] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.160] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.160] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\..") returned 144 [0086.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.160] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.160] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.160] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.160] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.160] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.160] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0086.160] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.160] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.160] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.160] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0086.161] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0086.161] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0086.161] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.161] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0086.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.162] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0086.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.162] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.162] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.162] CloseHandle (hObject=0x200) returned 1 [0086.162] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.protected") returned 165 [0086.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.protected")) returned 1 [0086.163] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.163] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.163] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.163] lstrlenA (lpString="EMPTY") returned 5 [0086.163] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.164] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.164] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.164] CloseHandle (hObject=0x1fc) returned 1 [0086.164] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.164] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0086.164] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0086.164] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0086.164] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0086.164] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0086.164] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi") returned 141 [0086.165] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0086.165] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0086.165] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*") returned 143 [0086.165] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.165] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.165] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.165] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.165] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.165] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.165] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\.") returned 143 [0086.165] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.165] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.165] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.165] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.165] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.165] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.165] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.165] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\..") returned 144 [0086.165] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.165] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.165] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.165] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.165] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.165] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.165] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.165] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.165] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0086.165] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.165] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.165] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.166] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0086.166] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0086.166] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0086.166] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.166] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0086.167] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.167] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0086.167] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.167] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.167] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.167] CloseHandle (hObject=0x200) returned 1 [0086.168] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.protected") returned 165 [0086.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.protected")) returned 1 [0086.168] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.168] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.168] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.169] lstrlenA (lpString="EMPTY") returned 5 [0086.169] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.170] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.170] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.170] CloseHandle (hObject=0x1fc) returned 1 [0086.170] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.170] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0086.170] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0086.170] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0086.170] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0086.170] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0086.170] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN") returned 144 [0086.170] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0086.170] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0086.170] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*") returned 146 [0086.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.170] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.170] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.170] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.170] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.170] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.170] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\.") returned 146 [0086.170] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.170] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.170] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.171] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.171] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.171] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.171] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.171] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\..") returned 147 [0086.171] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.171] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.171] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.171] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.171] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.171] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.171] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.171] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.171] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0086.171] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.171] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.171] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.171] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0086.171] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0086.171] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0086.171] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.171] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd4, lpOverlapped=0x0) returned 1 [0086.172] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.172] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd4, lpOverlapped=0x0) returned 1 [0086.172] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.172] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.172] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.172] CloseHandle (hObject=0x200) returned 1 [0086.173] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0086.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0086.173] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.173] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.173] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.174] lstrlenA (lpString="EMPTY") returned 5 [0086.174] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.174] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.174] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.175] CloseHandle (hObject=0x1fc) returned 1 [0086.175] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.175] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0086.175] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0086.175] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0086.175] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0086.175] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0086.175] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW") returned 144 [0086.175] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0086.175] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0086.175] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*") returned 146 [0086.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.175] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.175] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.175] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.175] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.175] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.175] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\.") returned 146 [0086.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.175] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.175] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.175] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.175] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.175] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.176] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.176] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\..") returned 147 [0086.176] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.176] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.176] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.176] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.176] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.176] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.176] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.176] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.176] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0086.176] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.176] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.176] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.176] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0086.176] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0086.176] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0086.176] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.176] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd4, lpOverlapped=0x0) returned 1 [0086.177] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.177] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd4, lpOverlapped=0x0) returned 1 [0086.177] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.177] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.177] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.177] CloseHandle (hObject=0x200) returned 1 [0086.177] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0086.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0086.178] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.178] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.178] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.178] lstrlenA (lpString="EMPTY") returned 5 [0086.178] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.179] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.179] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.180] CloseHandle (hObject=0x1fc) returned 1 [0086.180] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0086.180] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0086.180] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0086.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.180] lstrlenA (lpString="EMPTY") returned 5 [0086.180] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0086.181] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.181] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0086.181] CloseHandle (hObject=0x1f8) returned 1 [0086.181] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.181] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0086.181] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0086.181] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0086.181] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0086.181] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0086.181] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata") returned 139 [0086.181] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0086.181] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0086.181] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*") returned 141 [0086.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0086.182] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.182] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.182] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.182] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.182] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.182] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\.") returned 141 [0086.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.182] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.182] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.182] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.182] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.182] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.182] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.182] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\..") returned 142 [0086.182] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.182] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.182] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.182] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0086.182] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0086.182] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0086.182] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0086.182] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0086.182] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0086.182] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0086.182] lstrcmpW (lpString1="computed_hashes.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0086.182] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0086.182] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0086.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.183] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0086.183] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0086.183] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0086.183] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0086.183] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0086.183] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0086.183] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x160, lpOverlapped=0x0) returned 1 [0086.184] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.184] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x160, lpOverlapped=0x0) returned 1 [0086.184] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.184] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0086.184] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0086.184] CloseHandle (hObject=0x1fc) returned 1 [0086.184] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.protected") returned 170 [0086.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0086.186] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.186] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0086.186] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0086.186] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0086.186] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0086.186] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0086.186] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0086.186] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0086.186] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.186] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0086.186] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0086.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0086.187] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0086.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0086.187] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0086.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0086.187] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0086.187] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0086.290] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.290] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0086.291] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.291] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0086.291] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0086.291] CloseHandle (hObject=0x1fc) returned 1 [0086.291] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.protected") returned 172 [0086.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.protected")) returned 1 [0086.292] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0086.292] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0086.292] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 169 [0086.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.330] lstrlenA (lpString="EMPTY") returned 5 [0086.330] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0086.331] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.331] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0086.331] CloseHandle (hObject=0x1f8) returned 1 [0086.331] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0086.331] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0086.332] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 159 [0086.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0086.333] lstrlenA (lpString="EMPTY") returned 5 [0086.333] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0086.333] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.334] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.334] CloseHandle (hObject=0x1f4) returned 1 [0086.334] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0086.334] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0086.334] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0086.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0086.335] lstrlenA (lpString="EMPTY") returned 5 [0086.335] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0086.336] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.336] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0086.336] CloseHandle (hObject=0x1f0) returned 1 [0086.336] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0086.336] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Windows") returned -1 [0086.336] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files") returned -1 [0086.336] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="Program Files (x86)") returned -1 [0086.336] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="$Recycle.bin") returned 1 [0086.336] lstrcmpiW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="System Volume Information") returned -1 [0086.336] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi") returned 123 [0086.336] lstrcmpW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2=".") returned 1 [0086.336] lstrcmpW (lpString1="ghbmnnjooekpmoecnnnilnnbdlolhkhi", lpString2="..") returned 1 [0086.336] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*") returned 125 [0086.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0086.354] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.354] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.354] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.354] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.354] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.354] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\.") returned 125 [0086.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.354] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0086.354] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.354] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.354] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.354] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.354] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.355] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\..") returned 126 [0086.355] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.355] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0086.355] lstrcmpiW (lpString1="1.4_0", lpString2="Windows") returned -1 [0086.355] lstrcmpiW (lpString1="1.4_0", lpString2="Program Files") returned -1 [0086.355] lstrcmpiW (lpString1="1.4_0", lpString2="Program Files (x86)") returned -1 [0086.355] lstrcmpiW (lpString1="1.4_0", lpString2="$Recycle.bin") returned 1 [0086.355] lstrcmpiW (lpString1="1.4_0", lpString2="System Volume Information") returned -1 [0086.355] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0") returned 129 [0086.355] lstrcmpW (lpString1="1.4_0", lpString2=".") returned 1 [0086.355] lstrcmpW (lpString1="1.4_0", lpString2="..") returned 1 [0086.355] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*") returned 131 [0086.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0086.373] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.373] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.373] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.373] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.373] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.373] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\.") returned 131 [0086.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.373] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.373] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.373] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.373] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.373] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.373] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.373] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\..") returned 132 [0086.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.373] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.373] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0086.373] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0086.373] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0086.373] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0086.373] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0086.373] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0086.373] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0086.373] lstrcmpW (lpString1="128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0086.373] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0086.374] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0086.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0086.374] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0086.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0086.374] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0086.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0086.374] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0086.374] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x1378, lpOverlapped=0x0) returned 1 [0086.385] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffec88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.385] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x1378, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x1378, lpOverlapped=0x0) returned 1 [0086.385] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.385] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0086.386] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0086.386] CloseHandle (hObject=0x1f8) returned 1 [0086.386] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.protected") returned 147 [0086.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.protected")) returned 1 [0086.387] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.387] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Windows") returned -1 [0086.387] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Program Files") returned -1 [0086.387] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="Program Files (x86)") returned -1 [0086.387] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="$Recycle.bin") returned 1 [0086.387] lstrcmpiW (lpString1="contentscript_bin_prod.js", lpString2="System Volume Information") returned -1 [0086.387] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0086.387] StrStrIW (lpFirst="contentscript_bin_prod.js", lpSrch=".protected") returned 0x0 [0086.387] lstrcmpW (lpString1="contentscript_bin_prod.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0086.387] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0086.388] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0086.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0086.389] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".txt") returned 0x0 [0086.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0086.389] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".rar") returned 0x0 [0086.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0086.389] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".zip") returned 0x0 [0086.389] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x1103, lpOverlapped=0x0) returned 1 [0086.405] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffeefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.405] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x1103, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x1103, lpOverlapped=0x0) returned 1 [0086.406] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.406] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0086.406] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0086.406] CloseHandle (hObject=0x1f8) returned 1 [0086.406] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.protected") returned 165 [0086.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.protected")) returned 1 [0086.407] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.407] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Windows") returned -1 [0086.407] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Program Files") returned -1 [0086.407] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="Program Files (x86)") returned -1 [0086.407] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="$Recycle.bin") returned 1 [0086.407] lstrcmpiW (lpString1="dasherSettingSchema.json", lpString2="System Volume Information") returned -1 [0086.407] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0086.407] StrStrIW (lpFirst="dasherSettingSchema.json", lpSrch=".protected") returned 0x0 [0086.407] lstrcmpW (lpString1="dasherSettingSchema.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0086.407] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0086.408] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0086.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0086.408] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".txt") returned 0x0 [0086.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0086.408] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".rar") returned 0x0 [0086.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0086.408] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".zip") returned 0x0 [0086.408] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x356, lpOverlapped=0x0) returned 1 [0086.416] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.416] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x356, lpOverlapped=0x0) returned 1 [0086.417] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.417] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0086.417] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0086.417] CloseHandle (hObject=0x1f8) returned 1 [0086.418] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.protected") returned 164 [0086.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json.protected")) returned 1 [0086.419] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.419] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Windows") returned -1 [0086.419] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Program Files") returned -1 [0086.419] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="Program Files (x86)") returned -1 [0086.419] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="$Recycle.bin") returned 1 [0086.419] lstrcmpiW (lpString1="eventpage_bin_prod.js", lpString2="System Volume Information") returned -1 [0086.419] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0086.419] StrStrIW (lpFirst="eventpage_bin_prod.js", lpSrch=".protected") returned 0x0 [0086.420] lstrcmpW (lpString1="eventpage_bin_prod.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0086.420] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0086.420] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0086.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0086.420] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".txt") returned 0x0 [0086.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0086.420] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".rar") returned 0x0 [0086.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0086.420] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".zip") returned 0x0 [0086.420] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0086.422] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.422] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0086.423] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.423] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0086.424] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0086.424] CloseHandle (hObject=0x1f8) returned 1 [0086.424] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.protected") returned 161 [0086.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.protected")) returned 1 [0086.425] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.425] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0086.425] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0086.425] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0086.425] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0086.425] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0086.426] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0086.426] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0086.426] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.426] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0086.426] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0086.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.426] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0086.426] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0086.426] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0086.426] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0086.426] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0086.426] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0086.426] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x5b1, lpOverlapped=0x0) returned 1 [0086.431] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.431] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x5b1, lpOverlapped=0x0) returned 1 [0086.432] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.432] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0086.432] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0086.432] CloseHandle (hObject=0x1f8) returned 1 [0086.433] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.protected") returned 153 [0086.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.protected")) returned 1 [0086.434] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.434] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Windows") returned -1 [0086.434] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Program Files") returned -1 [0086.434] lstrcmpiW (lpString1="page_embed_script.js", lpString2="Program Files (x86)") returned -1 [0086.434] lstrcmpiW (lpString1="page_embed_script.js", lpString2="$Recycle.bin") returned 1 [0086.434] lstrcmpiW (lpString1="page_embed_script.js", lpString2="System Volume Information") returned -1 [0086.434] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0086.434] StrStrIW (lpFirst="page_embed_script.js", lpSrch=".protected") returned 0x0 [0086.434] lstrcmpW (lpString1="page_embed_script.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.434] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0086.434] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0086.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0086.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0086.435] StrStrW (lpFirst="page_embed_script.js", lpSrch=".txt") returned 0x0 [0086.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0086.435] StrStrW (lpFirst="page_embed_script.js", lpSrch=".rar") returned 0x0 [0086.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0086.435] StrStrW (lpFirst="page_embed_script.js", lpSrch=".zip") returned 0x0 [0086.435] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xe0, lpOverlapped=0x0) returned 1 [0086.436] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.436] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xe0, lpOverlapped=0x0) returned 1 [0086.437] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.437] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0086.437] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0086.437] CloseHandle (hObject=0x1f8) returned 1 [0086.438] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.protected") returned 160 [0086.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.protected")) returned 1 [0086.438] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0086.439] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0086.439] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0086.439] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0086.439] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0086.439] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0086.439] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales") returned 138 [0086.439] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0086.439] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0086.439] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*") returned 140 [0086.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0086.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.449] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.449] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.449] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.449] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.450] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\.") returned 140 [0086.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.450] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.450] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.450] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.450] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.450] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.450] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.450] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\..") returned 141 [0086.451] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.451] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.451] lstrcmpiW (lpString1="af", lpString2="Windows") returned -1 [0086.451] lstrcmpiW (lpString1="af", lpString2="Program Files") returned -1 [0086.451] lstrcmpiW (lpString1="af", lpString2="Program Files (x86)") returned -1 [0086.451] lstrcmpiW (lpString1="af", lpString2="$Recycle.bin") returned 1 [0086.451] lstrcmpiW (lpString1="af", lpString2="System Volume Information") returned -1 [0086.451] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af") returned 141 [0086.451] lstrcmpW (lpString1="af", lpString2=".") returned 1 [0086.451] lstrcmpW (lpString1="af", lpString2="..") returned 1 [0086.451] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*") returned 143 [0086.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.452] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\.") returned 143 [0086.452] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.452] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.452] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\..") returned 144 [0086.452] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.452] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.452] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.452] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.452] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.452] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.453] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.453] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.453] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0086.453] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.453] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.453] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.453] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0086.453] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0086.453] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0086.453] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.453] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x84, lpOverlapped=0x0) returned 1 [0086.454] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.454] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x84, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x84, lpOverlapped=0x0) returned 1 [0086.455] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.455] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.455] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.455] CloseHandle (hObject=0x200) returned 1 [0086.455] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.protected") returned 165 [0086.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.protected")) returned 1 [0086.456] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.456] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.456] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.457] lstrlenA (lpString="EMPTY") returned 5 [0086.457] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.457] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.457] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.458] CloseHandle (hObject=0x1fc) returned 1 [0086.458] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.458] lstrcmpiW (lpString1="am", lpString2="Windows") returned -1 [0086.458] lstrcmpiW (lpString1="am", lpString2="Program Files") returned -1 [0086.458] lstrcmpiW (lpString1="am", lpString2="Program Files (x86)") returned -1 [0086.458] lstrcmpiW (lpString1="am", lpString2="$Recycle.bin") returned 1 [0086.458] lstrcmpiW (lpString1="am", lpString2="System Volume Information") returned -1 [0086.458] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am") returned 141 [0086.458] lstrcmpW (lpString1="am", lpString2=".") returned 1 [0086.458] lstrcmpW (lpString1="am", lpString2="..") returned 1 [0086.458] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*") returned 143 [0086.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.458] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.458] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.458] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\.") returned 143 [0086.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.458] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.459] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.459] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.459] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\..") returned 144 [0086.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.459] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.459] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.459] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.459] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.459] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.459] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.459] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0086.459] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.459] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.459] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.459] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0086.460] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0086.460] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0086.460] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.460] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0086.461] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.461] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x103, lpOverlapped=0x0) returned 1 [0086.461] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.461] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.461] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.461] CloseHandle (hObject=0x200) returned 1 [0086.461] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.protected") returned 165 [0086.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.protected")) returned 1 [0086.462] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.462] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.462] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.462] lstrlenA (lpString="EMPTY") returned 5 [0086.462] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.463] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.463] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.463] CloseHandle (hObject=0x1fc) returned 1 [0086.464] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.464] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0086.464] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0086.464] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0086.464] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0086.464] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0086.464] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar") returned 141 [0086.464] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0086.464] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0086.464] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*") returned 143 [0086.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.465] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\.") returned 143 [0086.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.465] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.465] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.465] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.465] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.465] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\..") returned 144 [0086.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.465] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.465] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.465] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.465] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.465] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.465] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.465] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0086.465] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.466] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.466] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.466] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0086.466] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0086.466] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0086.466] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.466] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xed, lpOverlapped=0x0) returned 1 [0086.467] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.467] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xed, lpOverlapped=0x0) returned 1 [0086.467] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.467] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.468] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.468] CloseHandle (hObject=0x200) returned 1 [0086.468] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.protected") returned 165 [0086.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.protected")) returned 1 [0086.468] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.468] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.468] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.469] lstrlenA (lpString="EMPTY") returned 5 [0086.469] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.470] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.470] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.470] CloseHandle (hObject=0x1fc) returned 1 [0086.470] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.470] lstrcmpiW (lpString1="az", lpString2="Windows") returned -1 [0086.470] lstrcmpiW (lpString1="az", lpString2="Program Files") returned -1 [0086.470] lstrcmpiW (lpString1="az", lpString2="Program Files (x86)") returned -1 [0086.470] lstrcmpiW (lpString1="az", lpString2="$Recycle.bin") returned 1 [0086.470] lstrcmpiW (lpString1="az", lpString2="System Volume Information") returned -1 [0086.470] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az") returned 141 [0086.470] lstrcmpW (lpString1="az", lpString2=".") returned 1 [0086.470] lstrcmpW (lpString1="az", lpString2="..") returned 1 [0086.470] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*") returned 143 [0086.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.471] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.471] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.471] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.471] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.471] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.471] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\.") returned 143 [0086.471] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.471] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.471] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.471] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.471] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\..") returned 144 [0086.471] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.471] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.471] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.471] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.471] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.471] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.471] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.471] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.471] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0086.471] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.471] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.471] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.471] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0086.472] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0086.472] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0086.472] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.472] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xa7, lpOverlapped=0x0) returned 1 [0086.473] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.473] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xa7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xa7, lpOverlapped=0x0) returned 1 [0086.473] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.473] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.473] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.473] CloseHandle (hObject=0x200) returned 1 [0086.474] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.protected") returned 165 [0086.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.protected")) returned 1 [0086.474] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.474] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.474] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.475] lstrlenA (lpString="EMPTY") returned 5 [0086.475] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.476] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.476] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.476] CloseHandle (hObject=0x1fc) returned 1 [0086.476] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.476] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0086.476] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0086.476] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0086.476] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0086.476] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0086.476] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg") returned 141 [0086.476] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0086.476] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0086.477] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*") returned 143 [0086.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.477] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.477] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.478] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\.") returned 143 [0086.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.478] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.478] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\..") returned 144 [0086.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.478] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.478] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.478] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.478] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.478] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.478] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0086.478] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.478] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.478] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.478] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0086.479] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0086.479] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0086.479] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.479] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x114, lpOverlapped=0x0) returned 1 [0086.480] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.480] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x114, lpOverlapped=0x0) returned 1 [0086.480] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.480] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.480] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.480] CloseHandle (hObject=0x200) returned 1 [0086.480] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.protected") returned 165 [0086.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.protected")) returned 1 [0086.481] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.481] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.481] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.482] lstrlenA (lpString="EMPTY") returned 5 [0086.482] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.483] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.483] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.483] CloseHandle (hObject=0x1fc) returned 1 [0086.483] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.483] lstrcmpiW (lpString1="bn", lpString2="Windows") returned -1 [0086.483] lstrcmpiW (lpString1="bn", lpString2="Program Files") returned -1 [0086.483] lstrcmpiW (lpString1="bn", lpString2="Program Files (x86)") returned -1 [0086.483] lstrcmpiW (lpString1="bn", lpString2="$Recycle.bin") returned 1 [0086.483] lstrcmpiW (lpString1="bn", lpString2="System Volume Information") returned -1 [0086.483] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn") returned 141 [0086.483] lstrcmpW (lpString1="bn", lpString2=".") returned 1 [0086.483] lstrcmpW (lpString1="bn", lpString2="..") returned 1 [0086.483] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*") returned 143 [0086.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.484] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.484] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.484] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\.") returned 143 [0086.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.484] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.484] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\..") returned 144 [0086.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.484] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.484] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.484] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.484] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.484] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.484] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0086.484] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.484] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.484] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.484] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0086.485] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0086.485] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.485] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0086.485] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.485] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x14b, lpOverlapped=0x0) returned 1 [0086.486] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.486] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x14b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x14b, lpOverlapped=0x0) returned 1 [0086.486] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.486] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.486] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.486] CloseHandle (hObject=0x200) returned 1 [0086.486] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.protected") returned 165 [0086.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.protected")) returned 1 [0086.487] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.487] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.487] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.488] lstrlenA (lpString="EMPTY") returned 5 [0086.488] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.489] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.489] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.489] CloseHandle (hObject=0x1fc) returned 1 [0086.489] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.489] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0086.489] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0086.489] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0086.489] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0086.489] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0086.489] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca") returned 141 [0086.489] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0086.489] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0086.489] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*") returned 143 [0086.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.490] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.490] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.490] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.490] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.490] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.490] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\.") returned 143 [0086.490] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.490] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.490] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.490] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.490] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.490] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.490] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.490] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\..") returned 144 [0086.490] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.490] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.490] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.491] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.491] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.491] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.491] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.491] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0086.491] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.491] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.491] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.491] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0086.491] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0086.491] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0086.491] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.491] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0086.492] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.492] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcf, lpOverlapped=0x0) returned 1 [0086.492] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.492] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.493] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.493] CloseHandle (hObject=0x200) returned 1 [0086.493] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.protected") returned 165 [0086.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.protected")) returned 1 [0086.496] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.496] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.496] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.496] lstrlenA (lpString="EMPTY") returned 5 [0086.496] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.497] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.497] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.497] CloseHandle (hObject=0x1fc) returned 1 [0086.498] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.498] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0086.498] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0086.498] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0086.498] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0086.498] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0086.498] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs") returned 141 [0086.498] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0086.498] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0086.498] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*") returned 143 [0086.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.498] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\.") returned 143 [0086.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.498] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.498] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.498] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.498] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\..") returned 144 [0086.499] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.499] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.499] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.499] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.499] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.499] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.499] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.499] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0086.499] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.499] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.499] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.499] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0086.499] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0086.499] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0086.499] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.500] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xad, lpOverlapped=0x0) returned 1 [0086.500] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.500] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xad, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xad, lpOverlapped=0x0) returned 1 [0086.501] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.501] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.501] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.501] CloseHandle (hObject=0x200) returned 1 [0086.501] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.protected") returned 165 [0086.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.protected")) returned 1 [0086.502] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.502] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.502] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.502] lstrlenA (lpString="EMPTY") returned 5 [0086.502] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.503] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.503] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.503] CloseHandle (hObject=0x1fc) returned 1 [0086.503] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.503] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0086.503] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0086.503] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0086.503] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0086.503] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0086.504] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da") returned 141 [0086.504] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0086.504] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0086.504] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*") returned 143 [0086.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.505] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\.") returned 143 [0086.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.505] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.505] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.505] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.505] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.505] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\..") returned 144 [0086.505] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.505] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.505] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.505] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.505] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.505] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.505] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.505] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.505] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0086.505] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.505] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.505] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.505] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0086.506] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0086.506] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0086.506] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.506] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xac, lpOverlapped=0x0) returned 1 [0086.507] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.507] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xac, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xac, lpOverlapped=0x0) returned 1 [0086.507] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.507] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.507] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.507] CloseHandle (hObject=0x200) returned 1 [0086.507] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.protected") returned 165 [0086.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.protected")) returned 1 [0086.508] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.508] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.508] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.509] lstrlenA (lpString="EMPTY") returned 5 [0086.509] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.509] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.509] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.510] CloseHandle (hObject=0x1fc) returned 1 [0086.510] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.510] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0086.510] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0086.510] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0086.510] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0086.510] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0086.510] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de") returned 141 [0086.510] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0086.510] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0086.510] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*") returned 143 [0086.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.510] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.510] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.510] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.510] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.510] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.510] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\.") returned 143 [0086.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.511] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.511] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.511] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.511] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.511] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.511] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.511] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\..") returned 144 [0086.511] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.511] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.511] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.511] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.511] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.511] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.511] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.511] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.511] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0086.511] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.511] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.511] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.511] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0086.512] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0086.512] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0086.512] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.512] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc1, lpOverlapped=0x0) returned 1 [0086.513] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.513] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc1, lpOverlapped=0x0) returned 1 [0086.513] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.513] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.513] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.513] CloseHandle (hObject=0x200) returned 1 [0086.513] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.protected") returned 165 [0086.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.protected")) returned 1 [0086.514] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.514] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.514] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.514] lstrlenA (lpString="EMPTY") returned 5 [0086.514] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.515] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.515] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.515] CloseHandle (hObject=0x1fc) returned 1 [0086.515] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.515] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0086.515] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0086.515] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0086.515] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0086.516] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0086.516] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el") returned 141 [0086.516] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0086.516] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0086.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*") returned 143 [0086.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.526] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.526] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.526] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.526] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.526] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\.") returned 143 [0086.526] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.526] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.526] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.526] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.526] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.526] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.526] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\..") returned 144 [0086.526] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.526] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.526] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.526] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.526] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.526] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.526] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.526] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0086.526] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.526] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.526] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.526] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0086.527] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0086.527] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0086.527] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.527] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x12a, lpOverlapped=0x0) returned 1 [0086.528] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffed6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.529] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x12a, lpOverlapped=0x0) returned 1 [0086.529] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.529] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.529] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.529] CloseHandle (hObject=0x200) returned 1 [0086.529] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.protected") returned 165 [0086.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.protected")) returned 1 [0086.530] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.530] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.530] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.530] lstrlenA (lpString="EMPTY") returned 5 [0086.530] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.531] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.531] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.531] CloseHandle (hObject=0x1fc) returned 1 [0086.531] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.531] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0086.531] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0086.531] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0086.531] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0086.531] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0086.531] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB") returned 144 [0086.531] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0086.531] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0086.531] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*") returned 146 [0086.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.532] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.532] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.532] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.532] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.532] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.532] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\.") returned 146 [0086.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.532] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.532] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.532] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.532] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.532] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.532] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.532] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\..") returned 147 [0086.532] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.532] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.532] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.532] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.532] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.532] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.532] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.532] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0086.532] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.532] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.532] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.533] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0086.533] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0086.533] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0086.533] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.533] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb2, lpOverlapped=0x0) returned 1 [0086.534] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.534] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb2, lpOverlapped=0x0) returned 1 [0086.534] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.534] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.534] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.534] CloseHandle (hObject=0x200) returned 1 [0086.534] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json.protected") returned 168 [0086.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0086.535] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.535] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.535] lstrlenA (lpString="EMPTY") returned 5 [0086.535] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.536] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.536] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.536] CloseHandle (hObject=0x1fc) returned 1 [0086.536] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.536] lstrcmpiW (lpString1="en_US", lpString2="Windows") returned -1 [0086.536] lstrcmpiW (lpString1="en_US", lpString2="Program Files") returned -1 [0086.536] lstrcmpiW (lpString1="en_US", lpString2="Program Files (x86)") returned -1 [0086.536] lstrcmpiW (lpString1="en_US", lpString2="$Recycle.bin") returned 1 [0086.536] lstrcmpiW (lpString1="en_US", lpString2="System Volume Information") returned -1 [0086.537] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US") returned 144 [0086.537] lstrcmpW (lpString1="en_US", lpString2=".") returned 1 [0086.537] lstrcmpW (lpString1="en_US", lpString2="..") returned 1 [0086.537] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*") returned 146 [0086.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.537] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.537] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.537] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.537] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.537] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.537] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\.") returned 146 [0086.537] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.537] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.538] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.538] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.538] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\..") returned 147 [0086.538] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.538] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.538] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.538] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.538] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.538] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.538] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.538] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.538] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0086.538] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.538] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.538] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.538] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0086.538] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0086.538] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0086.538] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.539] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x109, lpOverlapped=0x0) returned 1 [0086.539] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.539] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x109, lpOverlapped=0x0) returned 1 [0086.539] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.539] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.539] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.540] CloseHandle (hObject=0x200) returned 1 [0086.540] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json.protected") returned 168 [0086.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json.protected")) returned 1 [0086.540] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.540] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.540] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.541] lstrlenA (lpString="EMPTY") returned 5 [0086.541] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.541] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.541] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.542] CloseHandle (hObject=0x1fc) returned 1 [0086.542] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.542] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0086.542] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0086.542] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0086.542] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0086.542] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0086.542] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es") returned 141 [0086.542] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0086.542] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0086.542] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*") returned 143 [0086.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.542] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\.") returned 143 [0086.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.543] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.543] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\..") returned 144 [0086.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.543] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.543] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.543] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.543] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.543] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.543] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.543] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0086.543] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.543] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.543] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.543] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0086.543] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0086.544] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0086.544] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.544] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcc, lpOverlapped=0x0) returned 1 [0086.544] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.544] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcc, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcc, lpOverlapped=0x0) returned 1 [0086.544] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.544] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.545] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.545] CloseHandle (hObject=0x200) returned 1 [0086.545] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.protected") returned 165 [0086.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.protected")) returned 1 [0086.545] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.545] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.545] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.546] lstrlenA (lpString="EMPTY") returned 5 [0086.546] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.546] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.546] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.547] CloseHandle (hObject=0x1fc) returned 1 [0086.547] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.547] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0086.547] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0086.547] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0086.547] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0086.547] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0086.547] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419") returned 145 [0086.547] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0086.547] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0086.547] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*") returned 147 [0086.547] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.548] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\.") returned 147 [0086.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.548] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.548] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.548] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.548] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.548] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.548] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.548] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\..") returned 148 [0086.548] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.548] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.549] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.549] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.549] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.549] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.549] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0086.549] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.549] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.549] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.549] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0086.549] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0086.549] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0086.549] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.550] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0086.550] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.550] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe3, lpOverlapped=0x0) returned 1 [0086.551] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.551] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.551] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.551] CloseHandle (hObject=0x200) returned 1 [0086.551] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.protected") returned 169 [0086.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0086.552] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.552] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.552] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0086.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.552] lstrlenA (lpString="EMPTY") returned 5 [0086.552] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.553] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.553] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.553] CloseHandle (hObject=0x1fc) returned 1 [0086.553] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.553] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0086.553] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0086.553] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0086.553] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0086.553] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0086.553] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et") returned 141 [0086.553] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0086.553] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0086.553] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*") returned 143 [0086.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.554] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.554] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.554] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.554] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.554] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\.") returned 143 [0086.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.554] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.554] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.554] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.554] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.554] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.554] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\..") returned 144 [0086.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.554] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.554] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.554] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.554] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.554] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.554] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.554] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0086.554] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.554] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.554] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.554] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0086.555] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0086.555] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0086.555] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.555] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd4, lpOverlapped=0x0) returned 1 [0086.556] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.556] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd4, lpOverlapped=0x0) returned 1 [0086.556] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.556] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.556] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.556] CloseHandle (hObject=0x200) returned 1 [0086.556] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.protected") returned 165 [0086.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.protected")) returned 1 [0086.557] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.557] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.557] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.558] lstrlenA (lpString="EMPTY") returned 5 [0086.558] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.559] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.559] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.560] CloseHandle (hObject=0x1fc) returned 1 [0086.560] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.560] lstrcmpiW (lpString1="eu", lpString2="Windows") returned -1 [0086.560] lstrcmpiW (lpString1="eu", lpString2="Program Files") returned -1 [0086.560] lstrcmpiW (lpString1="eu", lpString2="Program Files (x86)") returned -1 [0086.560] lstrcmpiW (lpString1="eu", lpString2="$Recycle.bin") returned 1 [0086.560] lstrcmpiW (lpString1="eu", lpString2="System Volume Information") returned -1 [0086.560] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu") returned 141 [0086.560] lstrcmpW (lpString1="eu", lpString2=".") returned 1 [0086.560] lstrcmpW (lpString1="eu", lpString2="..") returned 1 [0086.560] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*") returned 143 [0086.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.561] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.561] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.561] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.561] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.561] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.561] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\.") returned 143 [0086.561] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.561] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.561] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.561] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.561] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.561] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.561] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.561] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\..") returned 144 [0086.561] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.561] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.561] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.561] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.562] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.562] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.562] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.562] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0086.562] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.562] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.562] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.562] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.562] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0086.562] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.562] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0086.562] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.562] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0086.562] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.562] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x98, lpOverlapped=0x0) returned 1 [0086.563] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.563] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x98, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x98, lpOverlapped=0x0) returned 1 [0086.563] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.563] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.563] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.564] CloseHandle (hObject=0x200) returned 1 [0086.564] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.protected") returned 165 [0086.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.protected")) returned 1 [0086.564] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.564] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.564] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.565] lstrlenA (lpString="EMPTY") returned 5 [0086.565] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.566] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.566] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.566] CloseHandle (hObject=0x1fc) returned 1 [0086.566] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.566] lstrcmpiW (lpString1="fa", lpString2="Windows") returned -1 [0086.566] lstrcmpiW (lpString1="fa", lpString2="Program Files") returned -1 [0086.566] lstrcmpiW (lpString1="fa", lpString2="Program Files (x86)") returned -1 [0086.566] lstrcmpiW (lpString1="fa", lpString2="$Recycle.bin") returned 1 [0086.566] lstrcmpiW (lpString1="fa", lpString2="System Volume Information") returned -1 [0086.566] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa") returned 141 [0086.566] lstrcmpW (lpString1="fa", lpString2=".") returned 1 [0086.566] lstrcmpW (lpString1="fa", lpString2="..") returned 1 [0086.566] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*") returned 143 [0086.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.567] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.567] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.567] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.567] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.567] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.567] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\.") returned 143 [0086.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.567] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.567] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.567] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.567] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.567] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.567] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.567] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\..") returned 144 [0086.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.567] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.567] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.567] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.567] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.567] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.567] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.567] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0086.567] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.567] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.567] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.567] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0086.568] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0086.568] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0086.568] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.568] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xff, lpOverlapped=0x0) returned 1 [0086.569] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.569] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xff, lpOverlapped=0x0) returned 1 [0086.569] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.569] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.569] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.569] CloseHandle (hObject=0x200) returned 1 [0086.569] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.protected") returned 165 [0086.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.protected")) returned 1 [0086.570] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.570] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.570] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.570] lstrlenA (lpString="EMPTY") returned 5 [0086.570] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.571] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.571] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.571] CloseHandle (hObject=0x1fc) returned 1 [0086.571] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.571] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0086.571] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0086.571] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0086.571] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0086.571] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0086.571] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi") returned 141 [0086.571] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0086.571] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0086.571] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*") returned 143 [0086.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.573] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.573] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.573] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.573] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.573] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\.") returned 143 [0086.573] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.573] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.573] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.573] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\..") returned 144 [0086.573] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.573] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.573] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.573] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.573] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.573] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0086.573] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.573] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.573] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.573] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0086.574] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0086.574] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0086.574] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.574] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb7, lpOverlapped=0x0) returned 1 [0086.574] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.574] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb7, lpOverlapped=0x0) returned 1 [0086.575] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.575] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.575] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.575] CloseHandle (hObject=0x200) returned 1 [0086.575] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.protected") returned 165 [0086.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.protected")) returned 1 [0086.575] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.575] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.576] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.576] lstrlenA (lpString="EMPTY") returned 5 [0086.576] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.576] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.577] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.577] CloseHandle (hObject=0x1fc) returned 1 [0086.577] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.577] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0086.577] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0086.577] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0086.577] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0086.577] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0086.577] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil") returned 142 [0086.577] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0086.577] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0086.577] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*") returned 144 [0086.577] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.577] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.577] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.577] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.577] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.577] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.577] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\.") returned 144 [0086.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.577] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.577] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.577] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\..") returned 145 [0086.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.578] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.578] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.578] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.578] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.578] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.578] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.578] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0086.578] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.578] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.578] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.578] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0086.578] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0086.578] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0086.578] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.578] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc7, lpOverlapped=0x0) returned 1 [0086.579] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.579] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc7, lpOverlapped=0x0) returned 1 [0086.579] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.579] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.579] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.579] CloseHandle (hObject=0x200) returned 1 [0086.580] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.protected") returned 166 [0086.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.protected")) returned 1 [0086.580] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.580] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.580] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0086.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.581] lstrlenA (lpString="EMPTY") returned 5 [0086.581] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.582] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.582] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.582] CloseHandle (hObject=0x1fc) returned 1 [0086.582] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.582] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0086.582] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0086.582] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0086.582] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0086.582] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0086.582] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr") returned 141 [0086.582] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0086.582] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0086.582] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*") returned 143 [0086.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.583] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.583] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.583] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.583] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.583] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.583] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\.") returned 143 [0086.583] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.583] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.583] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.583] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.583] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.583] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.583] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.583] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\..") returned 144 [0086.583] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.583] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.583] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.584] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.584] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.584] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.584] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.584] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.584] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0086.584] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.584] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.584] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.584] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.584] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.584] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0086.584] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.584] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0086.584] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.584] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0086.584] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.584] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xbb, lpOverlapped=0x0) returned 1 [0086.585] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.585] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xbb, lpOverlapped=0x0) returned 1 [0086.585] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.585] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.585] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.585] CloseHandle (hObject=0x200) returned 1 [0086.585] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.protected") returned 165 [0086.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.protected")) returned 1 [0086.586] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.586] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.586] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.587] lstrlenA (lpString="EMPTY") returned 5 [0086.587] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.588] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.588] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.588] CloseHandle (hObject=0x1fc) returned 1 [0086.588] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.588] lstrcmpiW (lpString1="fr_CA", lpString2="Windows") returned -1 [0086.588] lstrcmpiW (lpString1="fr_CA", lpString2="Program Files") returned -1 [0086.588] lstrcmpiW (lpString1="fr_CA", lpString2="Program Files (x86)") returned -1 [0086.588] lstrcmpiW (lpString1="fr_CA", lpString2="$Recycle.bin") returned 1 [0086.588] lstrcmpiW (lpString1="fr_CA", lpString2="System Volume Information") returned -1 [0086.588] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA") returned 144 [0086.588] lstrcmpW (lpString1="fr_CA", lpString2=".") returned 1 [0086.588] lstrcmpW (lpString1="fr_CA", lpString2="..") returned 1 [0086.588] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*") returned 146 [0086.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.589] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.589] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.589] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.589] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.589] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.589] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\.") returned 146 [0086.589] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.589] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.589] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.589] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.589] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.589] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.589] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.589] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\..") returned 147 [0086.589] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.589] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.589] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.589] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.589] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.589] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.589] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.589] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.589] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0086.589] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.589] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.589] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.590] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0086.590] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0086.590] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0086.590] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.590] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0086.591] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.591] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0086.591] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.591] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.591] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.591] CloseHandle (hObject=0x200) returned 1 [0086.591] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json.protected") returned 168 [0086.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json.protected")) returned 1 [0086.592] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.592] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0086.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.592] lstrlenA (lpString="EMPTY") returned 5 [0086.592] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.593] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.593] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.593] CloseHandle (hObject=0x1fc) returned 1 [0086.593] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.593] lstrcmpiW (lpString1="gl", lpString2="Windows") returned -1 [0086.593] lstrcmpiW (lpString1="gl", lpString2="Program Files") returned -1 [0086.593] lstrcmpiW (lpString1="gl", lpString2="Program Files (x86)") returned -1 [0086.593] lstrcmpiW (lpString1="gl", lpString2="$Recycle.bin") returned 1 [0086.593] lstrcmpiW (lpString1="gl", lpString2="System Volume Information") returned -1 [0086.593] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl") returned 141 [0086.593] lstrcmpW (lpString1="gl", lpString2=".") returned 1 [0086.593] lstrcmpW (lpString1="gl", lpString2="..") returned 1 [0086.593] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*") returned 143 [0086.593] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.594] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.594] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.594] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.594] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.594] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.594] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\.") returned 143 [0086.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.594] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.594] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.594] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.594] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.594] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.594] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.594] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\..") returned 144 [0086.594] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.594] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.594] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.594] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.594] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.594] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.594] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.594] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.594] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0086.594] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.594] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.594] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.594] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0086.595] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0086.595] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0086.595] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.595] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xac, lpOverlapped=0x0) returned 1 [0086.596] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.596] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xac, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xac, lpOverlapped=0x0) returned 1 [0086.596] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.596] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.597] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.597] CloseHandle (hObject=0x200) returned 1 [0086.597] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.protected") returned 165 [0086.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.protected")) returned 1 [0086.597] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.597] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.597] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.598] lstrlenA (lpString="EMPTY") returned 5 [0086.598] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.598] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.599] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.599] CloseHandle (hObject=0x1fc) returned 1 [0086.599] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.599] lstrcmpiW (lpString1="gu", lpString2="Windows") returned -1 [0086.599] lstrcmpiW (lpString1="gu", lpString2="Program Files") returned -1 [0086.599] lstrcmpiW (lpString1="gu", lpString2="Program Files (x86)") returned -1 [0086.599] lstrcmpiW (lpString1="gu", lpString2="$Recycle.bin") returned 1 [0086.599] lstrcmpiW (lpString1="gu", lpString2="System Volume Information") returned -1 [0086.599] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu") returned 141 [0086.599] lstrcmpW (lpString1="gu", lpString2=".") returned 1 [0086.599] lstrcmpW (lpString1="gu", lpString2="..") returned 1 [0086.599] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*") returned 143 [0086.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.599] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.599] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.599] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.599] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.599] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\.") returned 143 [0086.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.599] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\..") returned 144 [0086.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.600] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.600] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.600] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.600] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0086.600] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.600] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.600] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.600] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0086.600] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0086.600] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0086.600] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.600] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x11e, lpOverlapped=0x0) returned 1 [0086.601] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.601] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x11e, lpOverlapped=0x0) returned 1 [0086.601] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.601] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.602] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.602] CloseHandle (hObject=0x200) returned 1 [0086.602] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.protected") returned 165 [0086.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.protected")) returned 1 [0086.602] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.602] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.602] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.603] lstrlenA (lpString="EMPTY") returned 5 [0086.603] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.603] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.603] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.604] CloseHandle (hObject=0x1fc) returned 1 [0086.604] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.604] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0086.604] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0086.604] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0086.604] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0086.604] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0086.604] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi") returned 141 [0086.604] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0086.604] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0086.604] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*") returned 143 [0086.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.604] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.604] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.604] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.604] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.604] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.604] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\.") returned 143 [0086.604] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.604] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.604] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.604] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.604] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.604] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.604] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.604] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\..") returned 144 [0086.604] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.604] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.604] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.605] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.605] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.605] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.605] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.605] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.605] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0086.605] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.605] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.605] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.605] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0086.606] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0086.606] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.606] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0086.606] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.606] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x13e, lpOverlapped=0x0) returned 1 [0086.606] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffec2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.606] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x13e, lpOverlapped=0x0) returned 1 [0086.607] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.607] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.607] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.607] CloseHandle (hObject=0x200) returned 1 [0086.607] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.protected") returned 165 [0086.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.protected")) returned 1 [0086.608] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.608] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.608] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.608] lstrlenA (lpString="EMPTY") returned 5 [0086.608] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.609] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.609] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.609] CloseHandle (hObject=0x1fc) returned 1 [0086.609] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.609] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0086.609] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0086.609] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0086.609] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0086.609] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0086.609] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr") returned 141 [0086.609] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0086.609] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0086.609] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*") returned 143 [0086.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.609] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.609] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.609] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.609] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.609] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.609] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\.") returned 143 [0086.609] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.609] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\..") returned 144 [0086.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.610] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.610] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.610] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0086.610] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.610] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.610] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.610] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0086.610] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0086.610] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0086.610] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.610] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc8, lpOverlapped=0x0) returned 1 [0086.611] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.611] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc8, lpOverlapped=0x0) returned 1 [0086.611] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.611] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.611] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.611] CloseHandle (hObject=0x200) returned 1 [0086.612] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.protected") returned 165 [0086.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.protected")) returned 1 [0086.612] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.612] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.612] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.613] lstrlenA (lpString="EMPTY") returned 5 [0086.613] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.613] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.613] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.613] CloseHandle (hObject=0x1fc) returned 1 [0086.613] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.613] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0086.613] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0086.614] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0086.614] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0086.614] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0086.614] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu") returned 141 [0086.614] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0086.614] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0086.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*") returned 143 [0086.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\.") returned 143 [0086.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.614] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\..") returned 144 [0086.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.614] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.614] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.614] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.614] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.614] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.614] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0086.614] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.614] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.614] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.614] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0086.615] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0086.615] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0086.615] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.615] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc6, lpOverlapped=0x0) returned 1 [0086.616] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.616] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc6, lpOverlapped=0x0) returned 1 [0086.616] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.616] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.616] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.617] CloseHandle (hObject=0x200) returned 1 [0086.617] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.protected") returned 165 [0086.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.protected")) returned 1 [0086.617] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.617] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.618] lstrlenA (lpString="EMPTY") returned 5 [0086.618] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.618] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.618] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.618] CloseHandle (hObject=0x1fc) returned 1 [0086.618] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.618] lstrcmpiW (lpString1="hy", lpString2="Windows") returned -1 [0086.619] lstrcmpiW (lpString1="hy", lpString2="Program Files") returned -1 [0086.619] lstrcmpiW (lpString1="hy", lpString2="Program Files (x86)") returned -1 [0086.619] lstrcmpiW (lpString1="hy", lpString2="$Recycle.bin") returned 1 [0086.619] lstrcmpiW (lpString1="hy", lpString2="System Volume Information") returned -1 [0086.619] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy") returned 141 [0086.619] lstrcmpW (lpString1="hy", lpString2=".") returned 1 [0086.619] lstrcmpW (lpString1="hy", lpString2="..") returned 1 [0086.619] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*") returned 143 [0086.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.619] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.619] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.619] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.619] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.619] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.619] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\.") returned 143 [0086.619] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.619] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.619] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.619] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.619] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.619] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.619] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.619] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\..") returned 144 [0086.619] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.619] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.619] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.619] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.619] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.619] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.619] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.619] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.620] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0086.620] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.620] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.620] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.620] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0086.620] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0086.620] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0086.620] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.620] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x299, lpOverlapped=0x0) returned 1 [0086.706] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.706] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x299, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x299, lpOverlapped=0x0) returned 1 [0086.706] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.706] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.706] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.707] CloseHandle (hObject=0x200) returned 1 [0086.707] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.protected") returned 165 [0086.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.protected")) returned 1 [0086.707] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.707] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.707] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.708] lstrlenA (lpString="EMPTY") returned 5 [0086.708] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.708] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.709] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.709] CloseHandle (hObject=0x1fc) returned 1 [0086.709] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.709] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0086.709] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0086.709] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0086.709] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0086.709] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0086.709] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id") returned 141 [0086.709] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0086.709] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0086.709] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*") returned 143 [0086.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.709] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.709] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.709] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.709] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.709] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.709] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\.") returned 143 [0086.709] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.709] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.709] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.709] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.709] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.710] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.710] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.710] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\..") returned 144 [0086.710] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.710] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.710] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.710] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.710] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.710] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.710] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.710] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.710] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0086.710] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.710] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.710] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.710] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0086.711] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0086.711] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.711] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0086.711] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.711] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xbb, lpOverlapped=0x0) returned 1 [0086.712] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.712] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xbb, lpOverlapped=0x0) returned 1 [0086.712] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.712] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.712] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.712] CloseHandle (hObject=0x200) returned 1 [0086.713] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.protected") returned 165 [0086.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.protected")) returned 1 [0086.714] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.714] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.714] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.714] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.714] lstrlenA (lpString="EMPTY") returned 5 [0086.714] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.715] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.715] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.715] CloseHandle (hObject=0x1fc) returned 1 [0086.715] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.716] lstrcmpiW (lpString1="is", lpString2="Windows") returned -1 [0086.716] lstrcmpiW (lpString1="is", lpString2="Program Files") returned -1 [0086.716] lstrcmpiW (lpString1="is", lpString2="Program Files (x86)") returned -1 [0086.716] lstrcmpiW (lpString1="is", lpString2="$Recycle.bin") returned 1 [0086.716] lstrcmpiW (lpString1="is", lpString2="System Volume Information") returned -1 [0086.716] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is") returned 141 [0086.716] lstrcmpW (lpString1="is", lpString2=".") returned 1 [0086.716] lstrcmpW (lpString1="is", lpString2="..") returned 1 [0086.716] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*") returned 143 [0086.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.716] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.716] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.716] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.716] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.716] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.716] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\.") returned 143 [0086.716] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.716] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.716] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.716] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.716] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.716] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.716] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.716] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\..") returned 144 [0086.717] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.717] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.717] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.717] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.717] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.717] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.717] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.717] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0086.717] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.717] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.717] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.717] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0086.717] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0086.717] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.717] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0086.717] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.718] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb2, lpOverlapped=0x0) returned 1 [0086.718] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.718] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb2, lpOverlapped=0x0) returned 1 [0086.719] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.719] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.719] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.719] CloseHandle (hObject=0x200) returned 1 [0086.719] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.protected") returned 165 [0086.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.protected")) returned 1 [0086.720] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.720] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.720] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.720] lstrlenA (lpString="EMPTY") returned 5 [0086.720] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.721] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.721] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.721] CloseHandle (hObject=0x1fc) returned 1 [0086.721] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.721] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0086.721] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0086.721] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0086.721] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0086.721] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0086.721] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it") returned 141 [0086.721] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0086.721] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0086.721] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*") returned 143 [0086.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.722] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.722] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.722] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.722] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.722] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.722] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\.") returned 143 [0086.722] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.722] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.722] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.722] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.722] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.722] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.722] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.722] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\..") returned 144 [0086.722] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.722] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.722] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.722] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.722] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.722] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.722] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.722] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.722] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0086.722] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.722] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.722] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.722] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0086.723] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0086.723] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0086.723] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.723] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb6, lpOverlapped=0x0) returned 1 [0086.724] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.724] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb6, lpOverlapped=0x0) returned 1 [0086.724] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.724] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.724] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.724] CloseHandle (hObject=0x200) returned 1 [0086.724] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.protected") returned 165 [0086.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.protected")) returned 1 [0086.725] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.725] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.727] lstrlenA (lpString="EMPTY") returned 5 [0086.727] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.728] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.728] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.728] CloseHandle (hObject=0x1fc) returned 1 [0086.728] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.728] lstrcmpiW (lpString1="iw", lpString2="Windows") returned -1 [0086.728] lstrcmpiW (lpString1="iw", lpString2="Program Files") returned -1 [0086.728] lstrcmpiW (lpString1="iw", lpString2="Program Files (x86)") returned -1 [0086.728] lstrcmpiW (lpString1="iw", lpString2="$Recycle.bin") returned 1 [0086.728] lstrcmpiW (lpString1="iw", lpString2="System Volume Information") returned -1 [0086.728] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw") returned 141 [0086.728] lstrcmpW (lpString1="iw", lpString2=".") returned 1 [0086.728] lstrcmpW (lpString1="iw", lpString2="..") returned 1 [0086.728] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*") returned 143 [0086.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.729] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.729] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.729] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.729] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.729] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\.") returned 143 [0086.729] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.729] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.729] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.729] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.729] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.729] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.729] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.729] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\..") returned 144 [0086.729] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.729] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.729] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.729] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.729] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.729] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.729] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.729] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0086.729] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.729] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.729] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.729] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0086.730] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0086.730] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.730] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0086.730] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.730] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x16a, lpOverlapped=0x0) returned 1 [0086.731] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.731] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x16a, lpOverlapped=0x0) returned 1 [0086.731] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.731] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.731] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.731] CloseHandle (hObject=0x200) returned 1 [0086.731] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.protected") returned 165 [0086.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.protected")) returned 1 [0086.732] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.732] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.732] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.732] lstrlenA (lpString="EMPTY") returned 5 [0086.732] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.733] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.733] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.733] CloseHandle (hObject=0x1fc) returned 1 [0086.733] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.733] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0086.733] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0086.733] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0086.733] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0086.733] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0086.733] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja") returned 141 [0086.733] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0086.733] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0086.733] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*") returned 143 [0086.733] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.733] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.733] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.733] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.733] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.733] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.734] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\.") returned 143 [0086.734] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.734] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.734] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.734] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.734] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.734] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.734] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.734] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\..") returned 144 [0086.734] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.734] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.734] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.734] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.734] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.734] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.734] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.734] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.734] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0086.734] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.734] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.734] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.734] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0086.735] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0086.735] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0086.735] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.735] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfb, lpOverlapped=0x0) returned 1 [0086.736] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.736] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfb, lpOverlapped=0x0) returned 1 [0086.736] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.736] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.736] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.736] CloseHandle (hObject=0x200) returned 1 [0086.737] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.protected") returned 165 [0086.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.protected")) returned 1 [0086.737] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.737] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.737] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.738] lstrlenA (lpString="EMPTY") returned 5 [0086.738] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.739] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.739] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.739] CloseHandle (hObject=0x1fc) returned 1 [0086.739] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.739] lstrcmpiW (lpString1="ka", lpString2="Windows") returned -1 [0086.739] lstrcmpiW (lpString1="ka", lpString2="Program Files") returned -1 [0086.739] lstrcmpiW (lpString1="ka", lpString2="Program Files (x86)") returned -1 [0086.739] lstrcmpiW (lpString1="ka", lpString2="$Recycle.bin") returned 1 [0086.739] lstrcmpiW (lpString1="ka", lpString2="System Volume Information") returned -1 [0086.739] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka") returned 141 [0086.739] lstrcmpW (lpString1="ka", lpString2=".") returned 1 [0086.739] lstrcmpW (lpString1="ka", lpString2="..") returned 1 [0086.739] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*") returned 143 [0086.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.740] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.740] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.740] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.740] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.740] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.740] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\.") returned 143 [0086.740] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.740] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.740] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.740] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.740] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.740] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.740] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\..") returned 144 [0086.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.740] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.740] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.740] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.740] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.740] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.740] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.740] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0086.740] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.740] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.741] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.741] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0086.741] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0086.741] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.741] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0086.741] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.741] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x165, lpOverlapped=0x0) returned 1 [0086.742] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.742] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x165, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x165, lpOverlapped=0x0) returned 1 [0086.742] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.742] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.742] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.742] CloseHandle (hObject=0x200) returned 1 [0086.742] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.protected") returned 165 [0086.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.protected")) returned 1 [0086.743] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.743] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.743] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.743] lstrlenA (lpString="EMPTY") returned 5 [0086.743] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.744] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.744] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.744] CloseHandle (hObject=0x1fc) returned 1 [0086.745] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.745] lstrcmpiW (lpString1="km", lpString2="Windows") returned -1 [0086.745] lstrcmpiW (lpString1="km", lpString2="Program Files") returned -1 [0086.745] lstrcmpiW (lpString1="km", lpString2="Program Files (x86)") returned -1 [0086.745] lstrcmpiW (lpString1="km", lpString2="$Recycle.bin") returned 1 [0086.745] lstrcmpiW (lpString1="km", lpString2="System Volume Information") returned -1 [0086.745] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km") returned 141 [0086.745] lstrcmpW (lpString1="km", lpString2=".") returned 1 [0086.745] lstrcmpW (lpString1="km", lpString2="..") returned 1 [0086.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*") returned 143 [0086.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.745] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.745] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.745] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.745] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.745] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\.") returned 143 [0086.745] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.745] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.745] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.745] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.745] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.745] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.745] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\..") returned 144 [0086.746] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.746] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.746] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.746] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.746] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.746] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.746] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.746] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.746] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0086.746] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.746] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.746] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.746] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.747] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0086.747] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.747] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0086.747] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.747] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0086.747] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.747] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x25f, lpOverlapped=0x0) returned 1 [0086.806] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffda1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.806] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x25f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x25f, lpOverlapped=0x0) returned 1 [0086.808] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.808] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.808] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.808] CloseHandle (hObject=0x200) returned 1 [0086.809] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.protected") returned 165 [0086.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.protected")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.810] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.810] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.810] lstrlenA (lpString="EMPTY") returned 5 [0086.810] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.811] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.811] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.811] CloseHandle (hObject=0x1fc) returned 1 [0086.811] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.811] lstrcmpiW (lpString1="kn", lpString2="Windows") returned -1 [0086.811] lstrcmpiW (lpString1="kn", lpString2="Program Files") returned -1 [0086.811] lstrcmpiW (lpString1="kn", lpString2="Program Files (x86)") returned -1 [0086.812] lstrcmpiW (lpString1="kn", lpString2="$Recycle.bin") returned 1 [0086.812] lstrcmpiW (lpString1="kn", lpString2="System Volume Information") returned -1 [0086.812] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn") returned 141 [0086.812] lstrcmpW (lpString1="kn", lpString2=".") returned 1 [0086.812] lstrcmpW (lpString1="kn", lpString2="..") returned 1 [0086.812] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*") returned 143 [0086.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.812] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.812] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.812] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.812] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.812] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\.") returned 143 [0086.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.812] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.812] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\..") returned 144 [0086.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.813] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.813] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.813] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.813] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.813] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.813] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.813] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.813] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0086.813] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.813] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.813] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.813] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0086.813] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0086.813] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.814] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0086.814] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.814] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x147, lpOverlapped=0x0) returned 1 [0086.815] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.815] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x147, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x147, lpOverlapped=0x0) returned 1 [0086.815] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.815] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.815] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.815] CloseHandle (hObject=0x200) returned 1 [0086.815] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.protected") returned 165 [0086.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.protected")) returned 1 [0086.816] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.816] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.816] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.817] lstrlenA (lpString="EMPTY") returned 5 [0086.817] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.817] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.817] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.818] CloseHandle (hObject=0x1fc) returned 1 [0086.818] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.818] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0086.818] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0086.818] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0086.818] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0086.818] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0086.818] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko") returned 141 [0086.818] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0086.818] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0086.818] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*") returned 143 [0086.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.818] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.818] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.818] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.818] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.818] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.818] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\.") returned 143 [0086.818] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.819] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.819] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.819] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.819] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.819] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.819] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.819] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\..") returned 144 [0086.819] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.819] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.819] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.819] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.819] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.819] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.819] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.819] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.819] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0086.819] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.819] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.819] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.819] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0086.821] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0086.821] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0086.821] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.821] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0086.822] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.822] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd9, lpOverlapped=0x0) returned 1 [0086.822] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.822] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.822] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.823] CloseHandle (hObject=0x200) returned 1 [0086.823] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.protected") returned 165 [0086.823] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.protected")) returned 1 [0086.824] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.824] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.824] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.824] lstrlenA (lpString="EMPTY") returned 5 [0086.824] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.825] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.825] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.825] CloseHandle (hObject=0x1fc) returned 1 [0086.825] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.825] lstrcmpiW (lpString1="lo", lpString2="Windows") returned -1 [0086.826] lstrcmpiW (lpString1="lo", lpString2="Program Files") returned -1 [0086.826] lstrcmpiW (lpString1="lo", lpString2="Program Files (x86)") returned -1 [0086.826] lstrcmpiW (lpString1="lo", lpString2="$Recycle.bin") returned 1 [0086.826] lstrcmpiW (lpString1="lo", lpString2="System Volume Information") returned -1 [0086.826] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo") returned 141 [0086.826] lstrcmpW (lpString1="lo", lpString2=".") returned 1 [0086.826] lstrcmpW (lpString1="lo", lpString2="..") returned 1 [0086.826] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*") returned 143 [0086.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.826] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.826] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.826] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.826] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.826] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.826] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\.") returned 143 [0086.826] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.826] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.826] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.826] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.826] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.826] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.826] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.826] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\..") returned 144 [0086.827] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.827] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.827] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.827] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.827] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.827] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.827] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.827] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.827] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0086.827] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.827] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.827] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.827] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0086.827] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0086.827] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0086.827] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.828] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x1c2, lpOverlapped=0x0) returned 1 [0086.828] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.829] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x1c2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x1c2, lpOverlapped=0x0) returned 1 [0086.829] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.829] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.829] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.829] CloseHandle (hObject=0x200) returned 1 [0086.829] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.protected") returned 165 [0086.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.protected")) returned 1 [0086.830] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.830] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.830] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.830] lstrlenA (lpString="EMPTY") returned 5 [0086.830] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.831] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.831] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.832] CloseHandle (hObject=0x1fc) returned 1 [0086.832] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.832] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0086.832] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0086.832] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0086.833] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0086.833] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0086.833] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt") returned 141 [0086.833] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0086.833] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0086.833] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*") returned 143 [0086.833] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.833] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.833] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.833] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.833] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.833] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.833] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\.") returned 143 [0086.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.833] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.833] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.833] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.833] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.833] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.833] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.833] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\..") returned 144 [0086.833] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.834] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.834] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.834] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.834] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.834] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.834] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.834] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.834] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0086.834] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.834] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.834] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.834] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.835] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0086.835] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.835] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0086.835] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.835] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0086.835] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.835] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0086.837] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.837] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd5, lpOverlapped=0x0) returned 1 [0086.837] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.837] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.837] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.837] CloseHandle (hObject=0x200) returned 1 [0086.837] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.protected") returned 165 [0086.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.protected")) returned 1 [0086.838] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.838] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.838] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.839] lstrlenA (lpString="EMPTY") returned 5 [0086.839] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.840] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.840] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.840] CloseHandle (hObject=0x1fc) returned 1 [0086.840] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.840] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0086.840] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0086.840] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0086.840] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0086.840] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0086.840] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv") returned 141 [0086.840] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0086.840] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0086.840] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*") returned 143 [0086.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.841] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.841] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.841] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.841] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.841] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.841] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\.") returned 143 [0086.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.841] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.841] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.841] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.841] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.841] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.841] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.841] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\..") returned 144 [0086.841] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.841] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.841] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.841] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.841] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.841] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.841] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.841] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0086.841] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.841] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.842] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.842] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0086.842] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0086.842] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0086.842] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.842] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc6, lpOverlapped=0x0) returned 1 [0086.843] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.843] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc6, lpOverlapped=0x0) returned 1 [0086.843] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.843] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0086.844] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0086.844] CloseHandle (hObject=0x200) returned 1 [0086.844] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.protected") returned 165 [0086.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.protected")) returned 1 [0086.845] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0086.845] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0086.845] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0086.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0086.845] lstrlenA (lpString="EMPTY") returned 5 [0086.845] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0086.846] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0086.846] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0086.846] CloseHandle (hObject=0x1fc) returned 1 [0086.846] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0086.846] lstrcmpiW (lpString1="ml", lpString2="Windows") returned -1 [0086.846] lstrcmpiW (lpString1="ml", lpString2="Program Files") returned -1 [0086.847] lstrcmpiW (lpString1="ml", lpString2="Program Files (x86)") returned -1 [0086.847] lstrcmpiW (lpString1="ml", lpString2="$Recycle.bin") returned 1 [0086.847] lstrcmpiW (lpString1="ml", lpString2="System Volume Information") returned -1 [0086.847] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml") returned 141 [0086.847] lstrcmpW (lpString1="ml", lpString2=".") returned 1 [0086.847] lstrcmpW (lpString1="ml", lpString2="..") returned 1 [0086.847] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*") returned 143 [0086.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0086.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.848] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0086.848] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0086.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.848] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\.") returned 143 [0086.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.848] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.848] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.848] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0086.848] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0086.848] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.848] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.848] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\..") returned 144 [0086.848] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.848] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.848] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0086.848] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0086.848] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0086.848] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0086.848] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0086.848] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0086.848] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0086.848] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0086.848] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0086.848] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0086.848] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0086.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0086.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0086.955] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0086.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0086.955] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0086.955] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0086.955] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0086.956] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x183, lpOverlapped=0x0) returned 1 [0087.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.093] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x183, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x183, lpOverlapped=0x0) returned 1 [0087.094] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.094] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.094] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.094] CloseHandle (hObject=0x200) returned 1 [0087.094] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.protected") returned 165 [0087.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.protected")) returned 1 [0087.094] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.095] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.095] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.095] lstrlenA (lpString="EMPTY") returned 5 [0087.095] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.096] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.096] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.096] CloseHandle (hObject=0x1fc) returned 1 [0087.096] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.096] lstrcmpiW (lpString1="mn", lpString2="Windows") returned -1 [0087.096] lstrcmpiW (lpString1="mn", lpString2="Program Files") returned -1 [0087.096] lstrcmpiW (lpString1="mn", lpString2="Program Files (x86)") returned -1 [0087.096] lstrcmpiW (lpString1="mn", lpString2="$Recycle.bin") returned 1 [0087.096] lstrcmpiW (lpString1="mn", lpString2="System Volume Information") returned -1 [0087.096] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn") returned 141 [0087.096] lstrcmpW (lpString1="mn", lpString2=".") returned 1 [0087.096] lstrcmpW (lpString1="mn", lpString2="..") returned 1 [0087.096] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*") returned 143 [0087.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.096] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.096] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.096] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.096] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\.") returned 143 [0087.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.097] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\..") returned 144 [0087.097] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.097] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.097] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.097] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.097] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.097] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.097] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0087.097] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.097] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.097] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.097] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0087.097] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0087.097] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.098] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0087.098] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.098] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x1c3, lpOverlapped=0x0) returned 1 [0087.098] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.098] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x1c3, lpOverlapped=0x0) returned 1 [0087.098] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.098] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.099] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.099] CloseHandle (hObject=0x200) returned 1 [0087.099] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.protected") returned 165 [0087.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.protected")) returned 1 [0087.099] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.099] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.099] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.100] lstrlenA (lpString="EMPTY") returned 5 [0087.100] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.100] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.100] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.100] CloseHandle (hObject=0x1fc) returned 1 [0087.100] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.101] lstrcmpiW (lpString1="mr", lpString2="Windows") returned -1 [0087.101] lstrcmpiW (lpString1="mr", lpString2="Program Files") returned -1 [0087.101] lstrcmpiW (lpString1="mr", lpString2="Program Files (x86)") returned -1 [0087.101] lstrcmpiW (lpString1="mr", lpString2="$Recycle.bin") returned 1 [0087.101] lstrcmpiW (lpString1="mr", lpString2="System Volume Information") returned -1 [0087.101] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr") returned 141 [0087.101] lstrcmpW (lpString1="mr", lpString2=".") returned 1 [0087.101] lstrcmpW (lpString1="mr", lpString2="..") returned 1 [0087.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*") returned 143 [0087.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.101] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.101] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.101] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\.") returned 143 [0087.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.101] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.101] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.101] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\..") returned 144 [0087.101] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.101] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.101] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.101] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.101] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.101] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.101] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0087.102] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.102] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.102] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.102] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0087.102] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0087.103] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.103] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0087.103] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.103] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x12c, lpOverlapped=0x0) returned 1 [0087.103] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffed4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.104] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x12c, lpOverlapped=0x0) returned 1 [0087.104] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.104] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.104] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.104] CloseHandle (hObject=0x200) returned 1 [0087.104] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.protected") returned 165 [0087.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.protected")) returned 1 [0087.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.105] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.105] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.105] lstrlenA (lpString="EMPTY") returned 5 [0087.105] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.105] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.105] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.106] CloseHandle (hObject=0x1fc) returned 1 [0087.106] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.106] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0087.106] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0087.106] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0087.106] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0087.106] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0087.106] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms") returned 141 [0087.106] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0087.106] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0087.106] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*") returned 143 [0087.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.106] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.106] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.106] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.106] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.106] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.106] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\.") returned 143 [0087.106] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.106] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.106] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.106] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.106] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.106] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.106] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.107] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\..") returned 144 [0087.107] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.107] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.107] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.107] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.107] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.107] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.107] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.107] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.107] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0087.107] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.107] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.107] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.107] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0087.107] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0087.107] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0087.107] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.107] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcb, lpOverlapped=0x0) returned 1 [0087.108] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.108] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcb, lpOverlapped=0x0) returned 1 [0087.108] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.108] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.108] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.108] CloseHandle (hObject=0x200) returned 1 [0087.108] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.protected") returned 165 [0087.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.protected")) returned 1 [0087.109] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.109] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.109] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.109] lstrlenA (lpString="EMPTY") returned 5 [0087.109] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.110] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.110] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.110] CloseHandle (hObject=0x1fc) returned 1 [0087.110] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.110] lstrcmpiW (lpString1="ne", lpString2="Windows") returned -1 [0087.110] lstrcmpiW (lpString1="ne", lpString2="Program Files") returned -1 [0087.110] lstrcmpiW (lpString1="ne", lpString2="Program Files (x86)") returned -1 [0087.110] lstrcmpiW (lpString1="ne", lpString2="$Recycle.bin") returned 1 [0087.110] lstrcmpiW (lpString1="ne", lpString2="System Volume Information") returned -1 [0087.110] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne") returned 141 [0087.110] lstrcmpW (lpString1="ne", lpString2=".") returned 1 [0087.110] lstrcmpW (lpString1="ne", lpString2="..") returned 1 [0087.110] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*") returned 143 [0087.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.111] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\.") returned 143 [0087.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.111] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.111] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.111] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\..") returned 144 [0087.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.111] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.111] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.111] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.111] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.111] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.111] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0087.111] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.111] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.111] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.111] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0087.112] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0087.112] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0087.112] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.112] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x20b, lpOverlapped=0x0) returned 1 [0087.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffdf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.113] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x20b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x20b, lpOverlapped=0x0) returned 1 [0087.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.113] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.113] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.113] CloseHandle (hObject=0x200) returned 1 [0087.113] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.protected") returned 165 [0087.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.protected")) returned 1 [0087.114] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.114] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.114] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.114] lstrlenA (lpString="EMPTY") returned 5 [0087.114] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.115] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.115] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.115] CloseHandle (hObject=0x1fc) returned 1 [0087.115] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.115] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0087.115] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0087.115] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0087.115] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0087.115] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0087.115] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl") returned 141 [0087.115] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0087.115] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0087.115] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*") returned 143 [0087.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.116] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\.") returned 143 [0087.116] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.116] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.116] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.116] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.116] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.116] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.116] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.116] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\..") returned 144 [0087.116] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.117] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.117] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.117] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.117] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.117] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0087.117] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.117] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.117] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.117] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0087.117] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0087.117] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0087.117] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.117] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb1, lpOverlapped=0x0) returned 1 [0087.118] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.118] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb1, lpOverlapped=0x0) returned 1 [0087.118] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.118] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.118] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.119] CloseHandle (hObject=0x200) returned 1 [0087.119] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.protected") returned 165 [0087.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.protected")) returned 1 [0087.120] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.120] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.120] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.120] lstrlenA (lpString="EMPTY") returned 5 [0087.120] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.121] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.121] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.121] CloseHandle (hObject=0x1fc) returned 1 [0087.121] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.121] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0087.121] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0087.122] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0087.122] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0087.122] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0087.122] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no") returned 141 [0087.122] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0087.122] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0087.122] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*") returned 143 [0087.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.122] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.122] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.122] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.122] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.122] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.122] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\.") returned 143 [0087.122] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.122] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.122] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.122] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.122] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.122] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.122] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.122] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\..") returned 144 [0087.122] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.122] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.122] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.122] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.122] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.122] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.122] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.122] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.122] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0087.122] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.122] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.122] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.122] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0087.123] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0087.123] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0087.123] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.123] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x96, lpOverlapped=0x0) returned 1 [0087.124] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.124] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x96, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x96, lpOverlapped=0x0) returned 1 [0087.124] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.124] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.124] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.124] CloseHandle (hObject=0x200) returned 1 [0087.124] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.protected") returned 165 [0087.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.protected")) returned 1 [0087.125] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.125] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.125] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.125] lstrlenA (lpString="EMPTY") returned 5 [0087.125] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.126] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.126] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.126] CloseHandle (hObject=0x1fc) returned 1 [0087.126] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.126] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0087.126] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0087.126] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0087.126] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0087.126] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0087.126] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl") returned 141 [0087.126] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0087.126] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0087.126] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*") returned 143 [0087.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.127] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.127] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.127] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.127] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.127] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.127] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\.") returned 143 [0087.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.127] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.127] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.127] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.127] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.127] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.127] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.127] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\..") returned 144 [0087.127] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.127] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.127] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.127] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.127] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.127] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.127] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.127] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0087.127] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.127] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.127] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.127] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0087.128] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0087.128] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0087.128] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.128] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb4, lpOverlapped=0x0) returned 1 [0087.128] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.128] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb4, lpOverlapped=0x0) returned 1 [0087.129] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.129] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.129] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.129] CloseHandle (hObject=0x200) returned 1 [0087.129] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.protected") returned 165 [0087.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.protected")) returned 1 [0087.129] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.129] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.129] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.130] lstrlenA (lpString="EMPTY") returned 5 [0087.130] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.130] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.130] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.130] CloseHandle (hObject=0x1fc) returned 1 [0087.131] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.131] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0087.131] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0087.131] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0087.131] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0087.131] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0087.131] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR") returned 144 [0087.131] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0087.131] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0087.131] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*") returned 146 [0087.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.131] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.131] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.131] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.131] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.131] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.131] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\.") returned 146 [0087.131] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.131] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.131] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.131] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.131] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.131] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.131] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.131] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\..") returned 147 [0087.131] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.131] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.131] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.131] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.131] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.131] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.131] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.131] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.131] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0087.131] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.131] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.131] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.132] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0087.132] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0087.132] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0087.132] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.132] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xbb, lpOverlapped=0x0) returned 1 [0087.133] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.133] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xbb, lpOverlapped=0x0) returned 1 [0087.133] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.133] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.133] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.133] CloseHandle (hObject=0x200) returned 1 [0087.133] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0087.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0087.133] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.134] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.134] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0087.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.134] lstrlenA (lpString="EMPTY") returned 5 [0087.134] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.135] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.135] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.135] CloseHandle (hObject=0x1fc) returned 1 [0087.135] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.135] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0087.135] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0087.135] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0087.135] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0087.135] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0087.135] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT") returned 144 [0087.135] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0087.135] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0087.135] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*") returned 146 [0087.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.136] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.136] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.136] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\.") returned 146 [0087.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.136] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.136] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.137] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.137] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.137] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\..") returned 147 [0087.137] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.137] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.137] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.137] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.137] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.137] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.137] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.137] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.137] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0087.137] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.137] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.137] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.137] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0087.137] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0087.137] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0087.137] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.137] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc6, lpOverlapped=0x0) returned 1 [0087.138] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.138] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc6, lpOverlapped=0x0) returned 1 [0087.138] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.138] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.138] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.138] CloseHandle (hObject=0x200) returned 1 [0087.139] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0087.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0087.139] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.139] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.139] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0087.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.139] lstrlenA (lpString="EMPTY") returned 5 [0087.140] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.140] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.140] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.140] CloseHandle (hObject=0x1fc) returned 1 [0087.141] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.141] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0087.141] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0087.141] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0087.141] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0087.141] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0087.141] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro") returned 141 [0087.141] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0087.141] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0087.141] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*") returned 143 [0087.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.141] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.141] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.141] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.141] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.141] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.141] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\.") returned 143 [0087.141] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.141] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.141] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.141] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.141] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.141] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.141] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\..") returned 144 [0087.142] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.142] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.142] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.142] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.142] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0087.142] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.142] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.142] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.142] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0087.142] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0087.143] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.143] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0087.143] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.143] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xaf, lpOverlapped=0x0) returned 1 [0087.144] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff51, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.146] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xaf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xaf, lpOverlapped=0x0) returned 1 [0087.146] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.146] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.146] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.146] CloseHandle (hObject=0x200) returned 1 [0087.146] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.protected") returned 165 [0087.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.protected")) returned 1 [0087.147] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.147] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.147] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.148] lstrlenA (lpString="EMPTY") returned 5 [0087.148] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.149] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.149] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.149] CloseHandle (hObject=0x1fc) returned 1 [0087.149] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.149] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0087.149] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0087.149] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0087.149] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0087.149] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0087.149] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru") returned 141 [0087.149] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0087.149] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0087.149] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*") returned 143 [0087.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.151] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.151] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.151] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.151] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.151] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.151] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\.") returned 143 [0087.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.151] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.151] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.151] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.151] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.151] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.151] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.151] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\..") returned 144 [0087.151] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.151] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.151] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.151] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.151] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.151] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.151] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.151] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0087.151] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.151] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.151] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.152] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.152] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0087.152] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.152] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0087.152] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.152] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0087.152] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.152] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x119, lpOverlapped=0x0) returned 1 [0087.153] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.153] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x119, lpOverlapped=0x0) returned 1 [0087.153] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.153] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.153] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.154] CloseHandle (hObject=0x200) returned 1 [0087.154] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.protected") returned 165 [0087.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.protected")) returned 1 [0087.154] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.154] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.154] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.155] lstrlenA (lpString="EMPTY") returned 5 [0087.155] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.155] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.155] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.155] CloseHandle (hObject=0x1fc) returned 1 [0087.156] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.156] lstrcmpiW (lpString1="si", lpString2="Windows") returned -1 [0087.156] lstrcmpiW (lpString1="si", lpString2="Program Files") returned 1 [0087.156] lstrcmpiW (lpString1="si", lpString2="Program Files (x86)") returned 1 [0087.156] lstrcmpiW (lpString1="si", lpString2="$Recycle.bin") returned 1 [0087.156] lstrcmpiW (lpString1="si", lpString2="System Volume Information") returned -1 [0087.156] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si") returned 141 [0087.156] lstrcmpW (lpString1="si", lpString2=".") returned 1 [0087.156] lstrcmpW (lpString1="si", lpString2="..") returned 1 [0087.156] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*") returned 143 [0087.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.156] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.156] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.156] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.156] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.156] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.156] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\.") returned 143 [0087.156] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.156] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.156] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.156] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.156] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.156] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.156] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.156] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\..") returned 144 [0087.156] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.156] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.156] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.156] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.156] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.156] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.156] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.156] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.156] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0087.156] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.156] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.156] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.156] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0087.157] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0087.157] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0087.157] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.157] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x14e, lpOverlapped=0x0) returned 1 [0087.158] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.158] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x14e, lpOverlapped=0x0) returned 1 [0087.158] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.158] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.158] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.158] CloseHandle (hObject=0x200) returned 1 [0087.158] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.protected") returned 165 [0087.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.protected")) returned 1 [0087.159] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.159] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.159] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.159] lstrlenA (lpString="EMPTY") returned 5 [0087.159] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.160] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.160] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.160] CloseHandle (hObject=0x1fc) returned 1 [0087.160] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.160] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0087.160] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0087.160] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0087.160] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0087.160] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0087.160] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk") returned 141 [0087.160] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0087.160] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0087.160] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*") returned 143 [0087.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.237] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\.") returned 143 [0087.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.237] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.237] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\..") returned 144 [0087.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.238] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.238] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.238] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.238] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.238] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.238] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.238] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0087.238] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.238] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.238] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.238] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0087.238] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0087.238] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0087.238] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.238] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc5, lpOverlapped=0x0) returned 1 [0087.239] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.239] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc5, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc5, lpOverlapped=0x0) returned 1 [0087.239] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.239] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.239] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.239] CloseHandle (hObject=0x200) returned 1 [0087.239] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.protected") returned 165 [0087.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.protected")) returned 1 [0087.240] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.240] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.240] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.240] lstrlenA (lpString="EMPTY") returned 5 [0087.240] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.241] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.241] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.241] CloseHandle (hObject=0x1fc) returned 1 [0087.241] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.241] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0087.241] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0087.241] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0087.241] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0087.241] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0087.241] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl") returned 141 [0087.241] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0087.241] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0087.241] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*") returned 143 [0087.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.242] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\.") returned 143 [0087.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.242] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.242] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.242] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.242] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.242] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.242] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\..") returned 144 [0087.242] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.242] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.242] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.242] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.242] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.242] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.242] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.242] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0087.242] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.242] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.242] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.242] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0087.243] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0087.243] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0087.243] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.243] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xbe, lpOverlapped=0x0) returned 1 [0087.244] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.244] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xbe, lpOverlapped=0x0) returned 1 [0087.244] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.244] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.244] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.244] CloseHandle (hObject=0x200) returned 1 [0087.244] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.protected") returned 165 [0087.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.protected")) returned 1 [0087.245] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.245] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.245] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.245] lstrlenA (lpString="EMPTY") returned 5 [0087.245] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.246] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.246] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.246] CloseHandle (hObject=0x1fc) returned 1 [0087.246] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.246] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0087.246] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0087.246] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0087.246] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0087.246] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0087.246] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr") returned 141 [0087.246] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0087.246] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0087.246] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*") returned 143 [0087.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.247] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.247] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.247] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.247] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.247] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.247] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\.") returned 143 [0087.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.247] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.247] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.248] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.248] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\..") returned 144 [0087.248] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.248] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.248] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.248] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.248] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.248] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.248] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.248] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0087.248] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.248] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.248] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.248] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0087.248] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0087.248] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0087.248] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.248] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0087.249] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.249] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x104, lpOverlapped=0x0) returned 1 [0087.249] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.249] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.249] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.250] CloseHandle (hObject=0x200) returned 1 [0087.250] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.protected") returned 165 [0087.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.protected")) returned 1 [0087.251] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.251] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.252] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.252] lstrlenA (lpString="EMPTY") returned 5 [0087.252] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.253] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.253] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.253] CloseHandle (hObject=0x1fc) returned 1 [0087.253] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.253] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0087.253] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0087.253] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0087.253] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0087.253] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0087.253] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv") returned 141 [0087.253] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0087.253] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0087.253] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*") returned 143 [0087.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.254] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.254] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.254] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.254] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.254] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.254] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\.") returned 143 [0087.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.254] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.254] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.254] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.254] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.254] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.254] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.254] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\..") returned 144 [0087.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.254] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.254] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.254] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.254] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.254] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.254] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.254] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0087.254] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.254] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.254] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.254] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0087.255] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0087.255] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0087.255] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.255] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0087.256] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.256] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb3, lpOverlapped=0x0) returned 1 [0087.256] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.256] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.256] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.256] CloseHandle (hObject=0x200) returned 1 [0087.257] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.protected") returned 165 [0087.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.protected")) returned 1 [0087.257] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.257] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.257] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.258] lstrlenA (lpString="EMPTY") returned 5 [0087.258] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.259] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.259] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.259] CloseHandle (hObject=0x1fc) returned 1 [0087.259] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.259] lstrcmpiW (lpString1="sw", lpString2="Windows") returned -1 [0087.259] lstrcmpiW (lpString1="sw", lpString2="Program Files") returned 1 [0087.259] lstrcmpiW (lpString1="sw", lpString2="Program Files (x86)") returned 1 [0087.259] lstrcmpiW (lpString1="sw", lpString2="$Recycle.bin") returned 1 [0087.259] lstrcmpiW (lpString1="sw", lpString2="System Volume Information") returned -1 [0087.259] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw") returned 141 [0087.259] lstrcmpW (lpString1="sw", lpString2=".") returned 1 [0087.259] lstrcmpW (lpString1="sw", lpString2="..") returned 1 [0087.259] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*") returned 143 [0087.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.260] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.260] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.260] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.260] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\.") returned 143 [0087.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.260] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.260] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.260] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.260] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.260] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.260] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.260] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\..") returned 144 [0087.260] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.260] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.260] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.260] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.260] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.260] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.261] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.261] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0087.261] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.261] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.261] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.261] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0087.261] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0087.261] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0087.261] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.261] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc4, lpOverlapped=0x0) returned 1 [0087.262] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.262] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc4, lpOverlapped=0x0) returned 1 [0087.262] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.262] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.262] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.262] CloseHandle (hObject=0x200) returned 1 [0087.262] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.protected") returned 165 [0087.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.protected")) returned 1 [0087.263] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.263] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.263] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.263] lstrlenA (lpString="EMPTY") returned 5 [0087.263] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.264] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.264] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.264] CloseHandle (hObject=0x1fc) returned 1 [0087.264] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.264] lstrcmpiW (lpString1="ta", lpString2="Windows") returned -1 [0087.264] lstrcmpiW (lpString1="ta", lpString2="Program Files") returned 1 [0087.264] lstrcmpiW (lpString1="ta", lpString2="Program Files (x86)") returned 1 [0087.264] lstrcmpiW (lpString1="ta", lpString2="$Recycle.bin") returned 1 [0087.264] lstrcmpiW (lpString1="ta", lpString2="System Volume Information") returned 1 [0087.264] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta") returned 141 [0087.264] lstrcmpW (lpString1="ta", lpString2=".") returned 1 [0087.264] lstrcmpW (lpString1="ta", lpString2="..") returned 1 [0087.264] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*") returned 143 [0087.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.265] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.265] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.265] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.265] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.265] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.265] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\.") returned 143 [0087.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.265] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.265] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.265] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.265] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.265] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.265] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.265] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\..") returned 144 [0087.265] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.265] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.265] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.265] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.265] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.265] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.265] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.265] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.265] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0087.265] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.265] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.265] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.265] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.266] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0087.266] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.266] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0087.266] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.266] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0087.266] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.266] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x150, lpOverlapped=0x0) returned 1 [0087.266] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.266] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x150, lpOverlapped=0x0) returned 1 [0087.267] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.267] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.267] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.267] CloseHandle (hObject=0x200) returned 1 [0087.267] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.protected") returned 165 [0087.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.protected")) returned 1 [0087.267] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.267] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.268] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.268] lstrlenA (lpString="EMPTY") returned 5 [0087.268] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.268] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.269] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.269] CloseHandle (hObject=0x1fc) returned 1 [0087.269] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.269] lstrcmpiW (lpString1="te", lpString2="Windows") returned -1 [0087.269] lstrcmpiW (lpString1="te", lpString2="Program Files") returned 1 [0087.269] lstrcmpiW (lpString1="te", lpString2="Program Files (x86)") returned 1 [0087.269] lstrcmpiW (lpString1="te", lpString2="$Recycle.bin") returned 1 [0087.269] lstrcmpiW (lpString1="te", lpString2="System Volume Information") returned 1 [0087.269] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te") returned 141 [0087.269] lstrcmpW (lpString1="te", lpString2=".") returned 1 [0087.269] lstrcmpW (lpString1="te", lpString2="..") returned 1 [0087.269] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*") returned 143 [0087.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.270] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.270] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.270] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.270] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.270] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.270] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\.") returned 143 [0087.270] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.270] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.270] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.270] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.270] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.270] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.270] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.270] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\..") returned 144 [0087.270] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.270] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.270] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.270] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.270] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.270] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.270] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.270] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.270] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0087.270] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.270] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.270] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.270] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0087.270] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.271] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0087.271] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.271] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0087.271] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.271] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x115, lpOverlapped=0x0) returned 1 [0087.271] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.271] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x115, lpOverlapped=0x0) returned 1 [0087.271] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.271] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.272] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.272] CloseHandle (hObject=0x200) returned 1 [0087.272] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.protected") returned 165 [0087.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.protected")) returned 1 [0087.272] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.272] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.272] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.273] lstrlenA (lpString="EMPTY") returned 5 [0087.273] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.274] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.274] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.274] CloseHandle (hObject=0x1fc) returned 1 [0087.274] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.274] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0087.274] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0087.274] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0087.274] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0087.274] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0087.274] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th") returned 141 [0087.274] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0087.274] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0087.274] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*") returned 143 [0087.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.274] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.274] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.274] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\.") returned 143 [0087.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.275] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\..") returned 144 [0087.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.275] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.275] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.275] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.275] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.275] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.275] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0087.275] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.275] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.275] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.275] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.275] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0087.275] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0087.276] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0087.276] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.276] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x125, lpOverlapped=0x0) returned 1 [0087.276] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffedb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.276] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x125, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x125, lpOverlapped=0x0) returned 1 [0087.276] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.276] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.277] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.277] CloseHandle (hObject=0x200) returned 1 [0087.277] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.protected") returned 165 [0087.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.protected")) returned 1 [0087.277] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.277] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.277] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.278] lstrlenA (lpString="EMPTY") returned 5 [0087.278] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.278] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.278] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.279] CloseHandle (hObject=0x1fc) returned 1 [0087.279] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.279] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0087.279] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0087.279] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0087.279] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0087.279] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0087.279] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr") returned 141 [0087.279] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0087.279] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0087.279] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*") returned 143 [0087.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.280] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\.") returned 143 [0087.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.280] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.280] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.280] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.280] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.280] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.280] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.280] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\..") returned 144 [0087.280] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.280] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.280] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.280] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.280] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.280] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.280] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.280] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0087.280] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.280] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.280] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.280] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0087.280] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0087.280] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0087.280] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.280] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xcd, lpOverlapped=0x0) returned 1 [0087.281] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.281] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xcd, lpOverlapped=0x0) returned 1 [0087.281] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.281] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.281] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.281] CloseHandle (hObject=0x200) returned 1 [0087.282] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.protected") returned 165 [0087.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.protected")) returned 1 [0087.282] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.282] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.282] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.282] lstrlenA (lpString="EMPTY") returned 5 [0087.282] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.283] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.283] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.283] CloseHandle (hObject=0x1fc) returned 1 [0087.283] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.283] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0087.283] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0087.283] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0087.283] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0087.284] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0087.284] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk") returned 141 [0087.284] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0087.284] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0087.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*") returned 143 [0087.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.284] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\.") returned 143 [0087.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.284] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.284] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.284] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.284] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.284] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\..") returned 144 [0087.284] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.284] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.284] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.284] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.284] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.284] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.284] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0087.284] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.284] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.284] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.284] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0087.285] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0087.285] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0087.285] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.285] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x115, lpOverlapped=0x0) returned 1 [0087.285] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.286] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x115, lpOverlapped=0x0) returned 1 [0087.286] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.286] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.286] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.286] CloseHandle (hObject=0x200) returned 1 [0087.286] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.protected") returned 165 [0087.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.protected")) returned 1 [0087.286] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.286] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.286] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.287] lstrlenA (lpString="EMPTY") returned 5 [0087.287] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.287] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.288] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.288] CloseHandle (hObject=0x1fc) returned 1 [0087.288] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.288] lstrcmpiW (lpString1="ur", lpString2="Windows") returned -1 [0087.288] lstrcmpiW (lpString1="ur", lpString2="Program Files") returned 1 [0087.288] lstrcmpiW (lpString1="ur", lpString2="Program Files (x86)") returned 1 [0087.288] lstrcmpiW (lpString1="ur", lpString2="$Recycle.bin") returned 1 [0087.288] lstrcmpiW (lpString1="ur", lpString2="System Volume Information") returned 1 [0087.288] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur") returned 141 [0087.288] lstrcmpW (lpString1="ur", lpString2=".") returned 1 [0087.288] lstrcmpW (lpString1="ur", lpString2="..") returned 1 [0087.288] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*") returned 143 [0087.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.300] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.300] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.300] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.300] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.300] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\.") returned 143 [0087.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.300] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.300] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.300] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.300] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.300] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.300] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.300] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\..") returned 144 [0087.300] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.300] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.300] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.300] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.300] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.300] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.300] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.300] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0087.300] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.300] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.300] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.300] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0087.301] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0087.301] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0087.301] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.301] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x177, lpOverlapped=0x0) returned 1 [0087.301] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffe89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.301] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x177, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x177, lpOverlapped=0x0) returned 1 [0087.302] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.302] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.302] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.302] CloseHandle (hObject=0x200) returned 1 [0087.302] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.protected") returned 165 [0087.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.protected")) returned 1 [0087.302] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.303] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.303] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.303] lstrlenA (lpString="EMPTY") returned 5 [0087.303] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.303] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.303] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.304] CloseHandle (hObject=0x1fc) returned 1 [0087.304] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.304] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0087.304] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0087.304] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0087.304] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0087.304] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0087.304] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi") returned 141 [0087.304] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0087.304] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0087.304] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*") returned 143 [0087.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.304] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.304] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.304] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.304] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.304] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.304] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\.") returned 143 [0087.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.304] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.304] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.304] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.304] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.304] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.304] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.304] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\..") returned 144 [0087.304] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.304] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.304] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.305] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.305] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.305] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.305] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.305] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0087.305] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.305] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.305] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.305] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0087.305] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0087.305] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0087.305] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.305] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0087.306] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.306] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdd, lpOverlapped=0x0) returned 1 [0087.306] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.306] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.306] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.306] CloseHandle (hObject=0x200) returned 1 [0087.306] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.protected") returned 165 [0087.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.protected")) returned 1 [0087.307] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.307] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.307] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.307] lstrlenA (lpString="EMPTY") returned 5 [0087.307] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.308] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.308] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.308] CloseHandle (hObject=0x1fc) returned 1 [0087.308] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.308] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0087.308] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0087.308] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0087.308] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0087.308] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0087.308] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN") returned 144 [0087.308] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0087.308] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0087.308] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*") returned 146 [0087.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.309] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\.") returned 146 [0087.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.309] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.309] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.309] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.309] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.309] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\..") returned 147 [0087.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.309] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.309] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.309] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.309] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.309] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.309] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.309] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0087.309] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.309] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.309] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.310] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.310] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0087.310] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.310] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0087.310] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.310] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0087.310] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.310] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xb0, lpOverlapped=0x0) returned 1 [0087.311] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.311] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xb0, lpOverlapped=0x0) returned 1 [0087.311] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.311] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.311] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.311] CloseHandle (hObject=0x200) returned 1 [0087.311] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0087.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0087.312] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.312] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.312] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0087.312] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.312] lstrlenA (lpString="EMPTY") returned 5 [0087.312] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.313] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.313] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.313] CloseHandle (hObject=0x1fc) returned 1 [0087.313] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.313] lstrcmpiW (lpString1="zh_HK", lpString2="Windows") returned 1 [0087.313] lstrcmpiW (lpString1="zh_HK", lpString2="Program Files") returned 1 [0087.313] lstrcmpiW (lpString1="zh_HK", lpString2="Program Files (x86)") returned 1 [0087.313] lstrcmpiW (lpString1="zh_HK", lpString2="$Recycle.bin") returned 1 [0087.313] lstrcmpiW (lpString1="zh_HK", lpString2="System Volume Information") returned 1 [0087.313] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK") returned 144 [0087.313] lstrcmpW (lpString1="zh_HK", lpString2=".") returned 1 [0087.313] lstrcmpW (lpString1="zh_HK", lpString2="..") returned 1 [0087.313] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*") returned 146 [0087.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.313] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\.") returned 146 [0087.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.313] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.314] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.314] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.314] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.314] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\..") returned 147 [0087.314] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.314] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.314] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.314] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.314] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.314] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.314] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.314] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.314] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0087.314] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.314] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.314] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.314] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0087.314] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0087.314] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0087.314] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.314] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0087.315] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.315] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0087.315] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.315] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.315] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.315] CloseHandle (hObject=0x200) returned 1 [0087.315] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json.protected") returned 168 [0087.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json.protected")) returned 1 [0087.316] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.316] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.316] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0087.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.316] lstrlenA (lpString="EMPTY") returned 5 [0087.316] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.317] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.317] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.317] CloseHandle (hObject=0x1fc) returned 1 [0087.317] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.317] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0087.317] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0087.317] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0087.317] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0087.317] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0087.317] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW") returned 144 [0087.317] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0087.317] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0087.317] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*") returned 146 [0087.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.318] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\.") returned 146 [0087.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.318] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.318] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.318] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.318] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\..") returned 147 [0087.318] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.318] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.318] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.318] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.318] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.318] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.319] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.319] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0087.319] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.319] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.319] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.319] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0087.319] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0087.319] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0087.319] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.319] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xaa, lpOverlapped=0x0) returned 1 [0087.320] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.320] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xaa, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xaa, lpOverlapped=0x0) returned 1 [0087.320] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.320] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.320] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.320] CloseHandle (hObject=0x200) returned 1 [0087.320] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0087.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0087.321] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.321] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.321] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0087.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.321] lstrlenA (lpString="EMPTY") returned 5 [0087.321] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.322] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.322] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.322] CloseHandle (hObject=0x1fc) returned 1 [0087.322] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.322] lstrcmpiW (lpString1="zu", lpString2="Windows") returned 1 [0087.322] lstrcmpiW (lpString1="zu", lpString2="Program Files") returned 1 [0087.322] lstrcmpiW (lpString1="zu", lpString2="Program Files (x86)") returned 1 [0087.322] lstrcmpiW (lpString1="zu", lpString2="$Recycle.bin") returned 1 [0087.322] lstrcmpiW (lpString1="zu", lpString2="System Volume Information") returned 1 [0087.322] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu") returned 141 [0087.322] lstrcmpW (lpString1="zu", lpString2=".") returned 1 [0087.322] lstrcmpW (lpString1="zu", lpString2="..") returned 1 [0087.322] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*") returned 143 [0087.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0087.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.323] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.323] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.323] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.323] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.323] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\.") returned 143 [0087.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.323] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.323] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.323] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.323] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.323] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.323] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.323] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\..") returned 144 [0087.323] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.323] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0087.323] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0087.323] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0087.323] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0087.323] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0087.323] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0087.323] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0087.323] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0087.323] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.323] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0087.323] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0087.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0087.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0087.324] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0087.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0087.324] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0087.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0087.324] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0087.324] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xc2, lpOverlapped=0x0) returned 1 [0087.325] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.325] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xc2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xc2, lpOverlapped=0x0) returned 1 [0087.325] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.325] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0087.325] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0087.325] CloseHandle (hObject=0x200) returned 1 [0087.325] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.protected") returned 165 [0087.325] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.protected")) returned 1 [0087.326] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0087.326] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0087.326] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0087.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.327] lstrlenA (lpString="EMPTY") returned 5 [0087.327] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0087.328] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.328] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.328] CloseHandle (hObject=0x1fc) returned 1 [0087.328] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0087.328] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0087.328] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0087.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0087.329] lstrlenA (lpString="EMPTY") returned 5 [0087.329] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0087.329] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0087.329] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0087.329] CloseHandle (hObject=0x1f8) returned 1 [0087.330] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0087.330] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0087.330] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0087.330] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0087.330] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0087.330] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0087.330] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata") returned 139 [0087.330] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0087.330] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0087.330] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*") returned 141 [0087.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0087.330] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.330] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0087.330] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0087.330] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.331] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.331] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\.") returned 141 [0087.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.331] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.331] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.331] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0087.331] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0087.331] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.331] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.331] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\..") returned 142 [0087.331] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.331] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.331] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0087.331] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0087.331] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0087.331] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0087.331] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0087.331] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0087.331] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0087.331] lstrcmpW (lpString1="computed_hashes.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0087.331] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0087.331] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0087.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0087.331] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0087.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0087.331] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0087.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0087.332] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0087.332] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xaf3, lpOverlapped=0x0) returned 1 [0087.333] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffff50d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.333] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xaf3, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xaf3, lpOverlapped=0x0) returned 1 [0087.333] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.333] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0087.333] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0087.333] CloseHandle (hObject=0x1fc) returned 1 [0087.333] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.protected") returned 170 [0087.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0087.334] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0087.334] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0087.334] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0087.334] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0087.334] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0087.334] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0087.334] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0087.334] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0087.334] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0087.334] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0087.334] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0087.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0087.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0087.335] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0087.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0087.335] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0087.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0087.335] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0087.335] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0087.336] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.336] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0087.336] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.336] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0087.336] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0087.337] CloseHandle (hObject=0x1fc) returned 1 [0087.337] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.protected") returned 172 [0087.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.protected")) returned 1 [0087.337] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0087.337] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0087.337] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 169 [0087.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.021] lstrlenA (lpString="EMPTY") returned 5 [0088.021] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0088.022] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.022] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0088.022] CloseHandle (hObject=0x1f8) returned 1 [0088.022] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0088.022] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0088.024] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 159 [0088.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0088.024] lstrlenA (lpString="EMPTY") returned 5 [0088.024] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0088.025] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.025] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.025] CloseHandle (hObject=0x1f4) returned 1 [0088.026] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0088.026] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0088.026] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0088.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0088.026] lstrlenA (lpString="EMPTY") returned 5 [0088.026] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0088.027] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.027] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0088.027] CloseHandle (hObject=0x1f0) returned 1 [0088.027] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0088.027] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Windows") returned -1 [0088.027] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Program Files") returned -1 [0088.027] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="Program Files (x86)") returned -1 [0088.027] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="$Recycle.bin") returned 1 [0088.027] lstrcmpiW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="System Volume Information") returned -1 [0088.027] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda") returned 123 [0088.027] lstrcmpW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2=".") returned 1 [0088.027] lstrcmpW (lpString1="nmmhkkegccagdldgiimedpiccmgmieda", lpString2="..") returned 1 [0088.028] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*") returned 125 [0088.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0088.028] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.028] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.028] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.028] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.028] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.028] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\.") returned 125 [0088.028] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.028] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0088.028] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.028] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.028] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.028] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.028] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.028] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\..") returned 126 [0088.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.028] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0088.028] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Windows") returned -1 [0088.028] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Program Files") returned -1 [0088.028] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="Program Files (x86)") returned -1 [0088.028] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="$Recycle.bin") returned 1 [0088.028] lstrcmpiW (lpString1="1.0.0.2_0", lpString2="System Volume Information") returned -1 [0088.028] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0") returned 133 [0088.028] lstrcmpW (lpString1="1.0.0.2_0", lpString2=".") returned 1 [0088.028] lstrcmpW (lpString1="1.0.0.2_0", lpString2="..") returned 1 [0088.028] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*") returned 135 [0088.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0088.112] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.112] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.112] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.112] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.113] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\.") returned 135 [0088.113] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.113] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.113] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.113] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.113] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.113] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.113] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.113] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\..") returned 136 [0088.113] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.113] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.113] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.113] lstrcmpiW (lpString1="craw_background.js", lpString2="Windows") returned -1 [0088.113] lstrcmpiW (lpString1="craw_background.js", lpString2="Program Files") returned -1 [0088.113] lstrcmpiW (lpString1="craw_background.js", lpString2="Program Files (x86)") returned -1 [0088.113] lstrcmpiW (lpString1="craw_background.js", lpString2="$Recycle.bin") returned 1 [0088.113] lstrcmpiW (lpString1="craw_background.js", lpString2="System Volume Information") returned -1 [0088.113] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0088.113] StrStrIW (lpFirst="craw_background.js", lpSrch=".protected") returned 0x0 [0088.113] lstrcmpW (lpString1="craw_background.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0088.113] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0088.113] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0088.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0088.114] StrStrW (lpFirst="craw_background.js", lpSrch=".txt") returned 0x0 [0088.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0088.114] StrStrW (lpFirst="craw_background.js", lpSrch=".rar") returned 0x0 [0088.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0088.114] StrStrW (lpFirst="craw_background.js", lpSrch=".zip") returned 0x0 [0088.114] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0088.207] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.207] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0088.207] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.207] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0088.259] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0088.259] CloseHandle (hObject=0x1f8) returned 1 [0088.343] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.protected") returned 162 [0088.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.protected")) returned 1 [0088.344] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.344] lstrcmpiW (lpString1="craw_window.js", lpString2="Windows") returned -1 [0088.344] lstrcmpiW (lpString1="craw_window.js", lpString2="Program Files") returned -1 [0088.344] lstrcmpiW (lpString1="craw_window.js", lpString2="Program Files (x86)") returned -1 [0088.344] lstrcmpiW (lpString1="craw_window.js", lpString2="$Recycle.bin") returned 1 [0088.344] lstrcmpiW (lpString1="craw_window.js", lpString2="System Volume Information") returned -1 [0088.344] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0088.344] StrStrIW (lpFirst="craw_window.js", lpSrch=".protected") returned 0x0 [0088.344] lstrcmpW (lpString1="craw_window.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0088.344] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0088.344] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0088.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0088.346] StrStrW (lpFirst="craw_window.js", lpSrch=".txt") returned 0x0 [0088.346] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0088.346] StrStrW (lpFirst="craw_window.js", lpSrch=".rar") returned 0x0 [0088.346] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0088.346] StrStrW (lpFirst="craw_window.js", lpSrch=".zip") returned 0x0 [0088.346] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0088.429] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.429] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0088.430] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.430] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0088.458] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0088.458] CloseHandle (hObject=0x1f8) returned 1 [0088.502] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.protected") returned 158 [0088.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.protected")) returned 1 [0088.502] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.502] lstrcmpiW (lpString1="css", lpString2="Windows") returned -1 [0088.502] lstrcmpiW (lpString1="css", lpString2="Program Files") returned -1 [0088.502] lstrcmpiW (lpString1="css", lpString2="Program Files (x86)") returned -1 [0088.502] lstrcmpiW (lpString1="css", lpString2="$Recycle.bin") returned 1 [0088.502] lstrcmpiW (lpString1="css", lpString2="System Volume Information") returned -1 [0088.503] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css") returned 137 [0088.503] lstrcmpW (lpString1="css", lpString2=".") returned 1 [0088.503] lstrcmpW (lpString1="css", lpString2="..") returned 1 [0088.503] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*") returned 139 [0088.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0088.503] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.503] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\.") returned 139 [0088.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.503] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.503] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\..") returned 140 [0088.503] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.503] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.503] lstrcmpiW (lpString1="craw_window.css", lpString2="Windows") returned -1 [0088.503] lstrcmpiW (lpString1="craw_window.css", lpString2="Program Files") returned -1 [0088.503] lstrcmpiW (lpString1="craw_window.css", lpString2="Program Files (x86)") returned -1 [0088.503] lstrcmpiW (lpString1="craw_window.css", lpString2="$Recycle.bin") returned 1 [0088.503] lstrcmpiW (lpString1="craw_window.css", lpString2="System Volume Information") returned -1 [0088.503] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0088.503] StrStrIW (lpFirst="craw_window.css", lpSrch=".protected") returned 0x0 [0088.503] lstrcmpW (lpString1="craw_window.css", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0088.503] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.503] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0088.504] StrStrW (lpFirst="craw_window.css", lpSrch=".txt") returned 0x0 [0088.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0088.504] StrStrW (lpFirst="craw_window.css", lpSrch=".rar") returned 0x0 [0088.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0088.504] StrStrW (lpFirst="craw_window.css", lpSrch=".zip") returned 0x0 [0088.504] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x6cd, lpOverlapped=0x0) returned 1 [0088.535] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffff933, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.535] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x6cd, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x6cd, lpOverlapped=0x0) returned 1 [0088.536] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.536] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.536] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.536] CloseHandle (hObject=0x1fc) returned 1 [0088.536] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.protected") returned 163 [0088.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.protected")) returned 1 [0088.537] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0088.537] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0088.537] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 167 [0088.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.537] lstrlenA (lpString="EMPTY") returned 5 [0088.537] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0088.538] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.538] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0088.538] CloseHandle (hObject=0x1f8) returned 1 [0088.538] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.539] lstrcmpiW (lpString1="html", lpString2="Windows") returned -1 [0088.539] lstrcmpiW (lpString1="html", lpString2="Program Files") returned -1 [0088.539] lstrcmpiW (lpString1="html", lpString2="Program Files (x86)") returned -1 [0088.539] lstrcmpiW (lpString1="html", lpString2="$Recycle.bin") returned 1 [0088.539] lstrcmpiW (lpString1="html", lpString2="System Volume Information") returned -1 [0088.539] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html") returned 138 [0088.539] lstrcmpW (lpString1="html", lpString2=".") returned 1 [0088.539] lstrcmpW (lpString1="html", lpString2="..") returned 1 [0088.539] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*") returned 140 [0088.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0088.539] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.539] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.539] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.539] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.539] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.539] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\.") returned 140 [0088.539] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.539] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.539] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.539] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.539] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.539] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.540] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.540] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\..") returned 141 [0088.540] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.540] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.540] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.540] lstrcmpiW (lpString1="craw_window.html", lpString2="Windows") returned -1 [0088.540] lstrcmpiW (lpString1="craw_window.html", lpString2="Program Files") returned -1 [0088.540] lstrcmpiW (lpString1="craw_window.html", lpString2="Program Files (x86)") returned -1 [0088.540] lstrcmpiW (lpString1="craw_window.html", lpString2="$Recycle.bin") returned 1 [0088.540] lstrcmpiW (lpString1="craw_window.html", lpString2="System Volume Information") returned -1 [0088.540] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0088.540] StrStrIW (lpFirst="craw_window.html", lpSrch=".protected") returned 0x0 [0088.540] lstrcmpW (lpString1="craw_window.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0088.540] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.540] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0088.543] StrStrW (lpFirst="craw_window.html", lpSrch=".txt") returned 0x0 [0088.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0088.543] StrStrW (lpFirst="craw_window.html", lpSrch=".rar") returned 0x0 [0088.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0088.544] StrStrW (lpFirst="craw_window.html", lpSrch=".zip") returned 0x0 [0088.544] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x32a, lpOverlapped=0x0) returned 1 [0088.547] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffcd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.547] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x32a, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x32a, lpOverlapped=0x0) returned 1 [0088.548] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.548] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.548] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.548] CloseHandle (hObject=0x1fc) returned 1 [0088.548] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.protected") returned 165 [0088.548] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.protected")) returned 1 [0088.549] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0088.549] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0088.549] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0088.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.549] lstrlenA (lpString="EMPTY") returned 5 [0088.549] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0088.550] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.550] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0088.550] CloseHandle (hObject=0x1f8) returned 1 [0088.550] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.550] lstrcmpiW (lpString1="images", lpString2="Windows") returned -1 [0088.550] lstrcmpiW (lpString1="images", lpString2="Program Files") returned -1 [0088.550] lstrcmpiW (lpString1="images", lpString2="Program Files (x86)") returned -1 [0088.550] lstrcmpiW (lpString1="images", lpString2="$Recycle.bin") returned 1 [0088.550] lstrcmpiW (lpString1="images", lpString2="System Volume Information") returned -1 [0088.550] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images") returned 140 [0088.550] lstrcmpW (lpString1="images", lpString2=".") returned 1 [0088.550] lstrcmpW (lpString1="images", lpString2="..") returned 1 [0088.550] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*") returned 142 [0088.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0088.556] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.556] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.556] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.556] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.556] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.556] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\.") returned 142 [0088.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.556] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.556] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.556] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.556] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.556] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.557] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\..") returned 143 [0088.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.557] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.557] lstrcmpiW (lpString1="flapper.gif", lpString2="Windows") returned -1 [0088.557] lstrcmpiW (lpString1="flapper.gif", lpString2="Program Files") returned -1 [0088.557] lstrcmpiW (lpString1="flapper.gif", lpString2="Program Files (x86)") returned -1 [0088.557] lstrcmpiW (lpString1="flapper.gif", lpString2="$Recycle.bin") returned 1 [0088.557] lstrcmpiW (lpString1="flapper.gif", lpString2="System Volume Information") returned -1 [0088.557] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0088.557] StrStrIW (lpFirst="flapper.gif", lpSrch=".protected") returned 0x0 [0088.557] lstrcmpW (lpString1="flapper.gif", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0088.557] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.557] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0088.557] StrStrW (lpFirst="flapper.gif", lpSrch=".txt") returned 0x0 [0088.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0088.557] StrStrW (lpFirst="flapper.gif", lpSrch=".rar") returned 0x0 [0088.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0088.557] StrStrW (lpFirst="flapper.gif", lpSrch=".zip") returned 0x0 [0088.557] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0088.561] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.561] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0088.561] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.561] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.564] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.564] CloseHandle (hObject=0x1fc) returned 1 [0088.564] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.protected") returned 162 [0088.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.protected")) returned 1 [0088.565] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.565] lstrcmpiW (lpString1="icon_128.png", lpString2="Windows") returned -1 [0088.565] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files") returned -1 [0088.565] lstrcmpiW (lpString1="icon_128.png", lpString2="Program Files (x86)") returned -1 [0088.565] lstrcmpiW (lpString1="icon_128.png", lpString2="$Recycle.bin") returned 1 [0088.565] lstrcmpiW (lpString1="icon_128.png", lpString2="System Volume Information") returned -1 [0088.565] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0088.565] StrStrIW (lpFirst="icon_128.png", lpSrch=".protected") returned 0x0 [0088.566] lstrcmpW (lpString1="icon_128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.566] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.566] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0088.566] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0088.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0088.566] StrStrW (lpFirst="icon_128.png", lpSrch=".rar") returned 0x0 [0088.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0088.566] StrStrW (lpFirst="icon_128.png", lpSrch=".zip") returned 0x0 [0088.566] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x1109, lpOverlapped=0x0) returned 1 [0088.568] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffeef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.568] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x1109, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x1109, lpOverlapped=0x0) returned 1 [0088.568] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.568] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.568] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.568] CloseHandle (hObject=0x1fc) returned 1 [0088.570] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.protected") returned 163 [0088.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.protected")) returned 1 [0088.570] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.570] lstrcmpiW (lpString1="icon_16.png", lpString2="Windows") returned -1 [0088.570] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files") returned -1 [0088.570] lstrcmpiW (lpString1="icon_16.png", lpString2="Program Files (x86)") returned -1 [0088.570] lstrcmpiW (lpString1="icon_16.png", lpString2="$Recycle.bin") returned 1 [0088.570] lstrcmpiW (lpString1="icon_16.png", lpString2="System Volume Information") returned -1 [0088.570] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0088.570] StrStrIW (lpFirst="icon_16.png", lpSrch=".protected") returned 0x0 [0088.570] lstrcmpW (lpString1="icon_16.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.570] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.570] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0088.573] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0088.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0088.573] StrStrW (lpFirst="icon_16.png", lpSrch=".rar") returned 0x0 [0088.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0088.573] StrStrW (lpFirst="icon_16.png", lpSrch=".zip") returned 0x0 [0088.573] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x22c, lpOverlapped=0x0) returned 1 [0088.574] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffdd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.574] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x22c, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x22c, lpOverlapped=0x0) returned 1 [0088.574] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.574] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.574] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.574] CloseHandle (hObject=0x1fc) returned 1 [0088.574] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.protected") returned 162 [0088.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.protected")) returned 1 [0088.589] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.589] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Windows") returned -1 [0088.589] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Program Files") returned 1 [0088.590] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="Program Files (x86)") returned 1 [0088.590] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="$Recycle.bin") returned 1 [0088.590] lstrcmpiW (lpString1="topbar_floating_button.png", lpString2="System Volume Information") returned 1 [0088.590] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0088.590] StrStrIW (lpFirst="topbar_floating_button.png", lpSrch=".protected") returned 0x0 [0088.590] lstrcmpW (lpString1="topbar_floating_button.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.590] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.590] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0088.590] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".txt") returned 0x0 [0088.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0088.590] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".rar") returned 0x0 [0088.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0088.590] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".zip") returned 0x0 [0088.590] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xa0, lpOverlapped=0x0) returned 1 [0088.591] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.591] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xa0, lpOverlapped=0x0) returned 1 [0088.591] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.591] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.591] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.592] CloseHandle (hObject=0x1fc) returned 1 [0088.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.protected") returned 177 [0088.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.protected")) returned 1 [0088.592] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.592] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Windows") returned -1 [0088.592] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Program Files") returned 1 [0088.592] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="Program Files (x86)") returned 1 [0088.592] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="$Recycle.bin") returned 1 [0088.592] lstrcmpiW (lpString1="topbar_floating_button_close.png", lpString2="System Volume Information") returned 1 [0088.592] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0088.592] StrStrIW (lpFirst="topbar_floating_button_close.png", lpSrch=".protected") returned 0x0 [0088.592] lstrcmpW (lpString1="topbar_floating_button_close.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.593] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.593] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.593] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0088.593] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".txt") returned 0x0 [0088.593] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0088.593] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".rar") returned 0x0 [0088.593] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0088.593] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".zip") returned 0x0 [0088.593] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xfc, lpOverlapped=0x0) returned 1 [0088.594] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.594] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xfc, lpOverlapped=0x0) returned 1 [0088.594] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.594] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.594] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.594] CloseHandle (hObject=0x1fc) returned 1 [0088.594] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.protected") returned 183 [0088.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.protected")) returned 1 [0088.595] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.595] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Windows") returned -1 [0088.595] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Program Files") returned 1 [0088.595] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="Program Files (x86)") returned 1 [0088.595] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="$Recycle.bin") returned 1 [0088.595] lstrcmpiW (lpString1="topbar_floating_button_hover.png", lpString2="System Volume Information") returned 1 [0088.595] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0088.595] StrStrIW (lpFirst="topbar_floating_button_hover.png", lpSrch=".protected") returned 0x0 [0088.595] lstrcmpW (lpString1="topbar_floating_button_hover.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.595] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.595] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0088.595] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".txt") returned 0x0 [0088.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0088.595] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".rar") returned 0x0 [0088.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0088.595] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".zip") returned 0x0 [0088.596] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xa0, lpOverlapped=0x0) returned 1 [0088.596] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.596] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xa0, lpOverlapped=0x0) returned 1 [0088.596] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.596] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.596] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.596] CloseHandle (hObject=0x1fc) returned 1 [0088.597] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.protected") returned 183 [0088.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.protected")) returned 1 [0088.597] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.597] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Windows") returned -1 [0088.597] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Program Files") returned 1 [0088.597] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="Program Files (x86)") returned 1 [0088.597] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="$Recycle.bin") returned 1 [0088.597] lstrcmpiW (lpString1="topbar_floating_button_maximize.png", lpString2="System Volume Information") returned 1 [0088.597] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0088.597] StrStrIW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".protected") returned 0x0 [0088.597] lstrcmpW (lpString1="topbar_floating_button_maximize.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.597] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.597] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0088.599] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".txt") returned 0x0 [0088.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0088.599] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".rar") returned 0x0 [0088.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0088.599] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".zip") returned 0x0 [0088.599] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xa6, lpOverlapped=0x0) returned 1 [0088.600] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.600] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xa6, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xa6, lpOverlapped=0x0) returned 1 [0088.600] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.600] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.600] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.600] CloseHandle (hObject=0x1fc) returned 1 [0088.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.protected") returned 186 [0088.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.protected")) returned 1 [0088.601] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.601] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Windows") returned -1 [0088.601] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Program Files") returned 1 [0088.601] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="Program Files (x86)") returned 1 [0088.601] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="$Recycle.bin") returned 1 [0088.601] lstrcmpiW (lpString1="topbar_floating_button_pressed.png", lpString2="System Volume Information") returned 1 [0088.601] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0088.601] StrStrIW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".protected") returned 0x0 [0088.601] lstrcmpW (lpString1="topbar_floating_button_pressed.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.601] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0088.601] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0088.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0088.601] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".txt") returned 0x0 [0088.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0088.601] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".rar") returned 0x0 [0088.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0088.601] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".zip") returned 0x0 [0088.601] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xa0, lpOverlapped=0x0) returned 1 [0088.602] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.602] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xa0, lpOverlapped=0x0) returned 1 [0088.602] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.602] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0088.602] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0088.602] CloseHandle (hObject=0x1fc) returned 1 [0088.603] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.protected") returned 185 [0088.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.protected")) returned 1 [0088.603] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0088.603] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0088.603] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 170 [0088.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.603] lstrlenA (lpString="EMPTY") returned 5 [0088.603] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0088.604] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.604] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0088.604] CloseHandle (hObject=0x1f8) returned 1 [0088.604] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.604] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0088.604] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0088.604] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0088.604] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0088.604] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0088.604] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0088.604] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0088.605] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.605] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0088.605] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0088.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0088.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0088.605] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0088.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0088.605] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0088.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0088.605] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0088.605] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x52a, lpOverlapped=0x0) returned 1 [0088.624] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffad6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.624] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x52a, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x52a, lpOverlapped=0x0) returned 1 [0088.625] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.625] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0088.625] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0088.625] CloseHandle (hObject=0x1f8) returned 1 [0088.626] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.protected") returned 157 [0088.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.protected")) returned 1 [0088.627] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0088.627] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0088.627] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0088.627] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0088.627] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0088.627] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0088.627] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales") returned 142 [0088.627] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0088.627] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0088.627] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*") returned 144 [0088.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0088.703] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.703] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.703] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.703] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.703] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.703] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\.") returned 144 [0088.703] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.703] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.703] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.703] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.703] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.703] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.703] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.703] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\..") returned 145 [0088.703] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.703] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.703] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0088.703] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0088.703] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0088.703] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0088.703] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0088.703] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg") returned 145 [0088.703] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0088.703] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0088.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*") returned 147 [0088.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.704] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.704] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.704] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.704] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.704] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\.") returned 147 [0088.704] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.704] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.704] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\..") returned 148 [0088.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.704] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.704] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.704] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.704] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.704] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.704] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0088.704] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.704] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.704] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.704] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.709] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0088.709] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.709] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0088.709] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.709] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0088.709] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.709] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x376, lpOverlapped=0x0) returned 1 [0088.722] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffc8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.722] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x376, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x376, lpOverlapped=0x0) returned 1 [0088.722] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.722] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.722] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.722] CloseHandle (hObject=0x200) returned 1 [0088.723] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.protected") returned 169 [0088.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.protected")) returned 1 [0088.723] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.723] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.723] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.724] lstrlenA (lpString="EMPTY") returned 5 [0088.724] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.724] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.724] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.725] CloseHandle (hObject=0x1fc) returned 1 [0088.725] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.725] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0088.725] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0088.725] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0088.725] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0088.725] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0088.725] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca") returned 145 [0088.725] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0088.725] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0088.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*") returned 147 [0088.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.725] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.725] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.725] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.725] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.725] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\.") returned 147 [0088.725] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.725] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.725] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.725] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.725] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.725] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.725] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.725] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\..") returned 148 [0088.725] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.725] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.725] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.725] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.726] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.726] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.726] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.726] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.726] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0088.726] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.726] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.726] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.726] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0088.726] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0088.726] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0088.726] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.726] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2c1, lpOverlapped=0x0) returned 1 [0088.751] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.751] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2c1, lpOverlapped=0x0) returned 1 [0088.752] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.752] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.752] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.752] CloseHandle (hObject=0x200) returned 1 [0088.752] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.protected") returned 169 [0088.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.protected")) returned 1 [0088.753] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.753] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.753] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.753] lstrlenA (lpString="EMPTY") returned 5 [0088.753] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.754] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.754] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.754] CloseHandle (hObject=0x1fc) returned 1 [0088.754] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.754] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0088.754] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0088.754] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0088.754] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0088.754] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0088.754] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs") returned 145 [0088.754] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0088.754] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0088.754] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*") returned 147 [0088.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.754] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.754] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.754] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.754] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.754] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.754] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\.") returned 147 [0088.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.754] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.755] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.755] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.755] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.755] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.755] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.755] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\..") returned 148 [0088.755] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.755] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.755] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.755] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.755] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.755] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.755] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.755] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.755] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0088.755] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.755] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.755] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.755] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0088.756] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0088.756] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0088.756] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.756] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x297, lpOverlapped=0x0) returned 1 [0088.762] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd69, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.763] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x297, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x297, lpOverlapped=0x0) returned 1 [0088.763] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.763] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.763] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.763] CloseHandle (hObject=0x200) returned 1 [0088.763] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.protected") returned 169 [0088.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.protected")) returned 1 [0088.764] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.764] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.764] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.764] lstrlenA (lpString="EMPTY") returned 5 [0088.764] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.765] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.765] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.765] CloseHandle (hObject=0x1fc) returned 1 [0088.765] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.765] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0088.765] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0088.765] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0088.765] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0088.765] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0088.765] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da") returned 145 [0088.765] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0088.765] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0088.765] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*") returned 147 [0088.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.766] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.766] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.766] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.766] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.766] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.766] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\.") returned 147 [0088.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.766] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.766] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.766] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.766] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.766] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.766] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.766] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\..") returned 148 [0088.766] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.766] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.766] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.766] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.766] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.766] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.766] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.766] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.766] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0088.766] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.766] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.766] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.766] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0088.766] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.767] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0088.767] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.767] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0088.767] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.767] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x282, lpOverlapped=0x0) returned 1 [0088.813] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.813] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x282, lpOverlapped=0x0) returned 1 [0088.813] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.813] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.813] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.813] CloseHandle (hObject=0x200) returned 1 [0088.813] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.protected") returned 169 [0088.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.protected")) returned 1 [0088.814] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.814] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.814] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.815] lstrlenA (lpString="EMPTY") returned 5 [0088.815] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.816] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.816] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.816] CloseHandle (hObject=0x1fc) returned 1 [0088.816] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.816] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0088.816] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0088.816] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0088.816] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0088.816] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0088.816] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de") returned 145 [0088.816] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0088.816] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0088.816] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*") returned 147 [0088.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.817] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.817] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.817] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.817] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.817] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.817] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\.") returned 147 [0088.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.817] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.817] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\..") returned 148 [0088.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.817] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.817] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.817] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.817] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.817] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.817] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.817] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0088.817] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.817] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.817] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.817] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0088.818] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0088.819] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.819] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0088.819] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.819] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2bd, lpOverlapped=0x0) returned 1 [0088.821] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.821] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2bd, lpOverlapped=0x0) returned 1 [0088.821] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.821] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.821] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.821] CloseHandle (hObject=0x200) returned 1 [0088.822] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.protected") returned 169 [0088.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.protected")) returned 1 [0088.822] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.822] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.822] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.823] lstrlenA (lpString="EMPTY") returned 5 [0088.823] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.825] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.825] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.825] CloseHandle (hObject=0x1fc) returned 1 [0088.825] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.825] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0088.825] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0088.825] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0088.825] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0088.825] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0088.825] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el") returned 145 [0088.825] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0088.825] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0088.825] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*") returned 147 [0088.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.826] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.826] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.826] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.826] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.826] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.826] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\.") returned 147 [0088.826] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.826] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.826] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.826] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.826] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.826] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.826] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.826] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\..") returned 148 [0088.826] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.826] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.826] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.826] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.826] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.826] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.826] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.826] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.826] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0088.826] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.826] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.826] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.826] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0088.827] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0088.827] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0088.827] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.827] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x36b, lpOverlapped=0x0) returned 1 [0088.844] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffc95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.844] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x36b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x36b, lpOverlapped=0x0) returned 1 [0088.844] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.845] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.845] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.845] CloseHandle (hObject=0x200) returned 1 [0088.845] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.protected") returned 169 [0088.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.protected")) returned 1 [0088.846] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.846] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.846] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.846] lstrlenA (lpString="EMPTY") returned 5 [0088.846] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.847] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.847] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.847] CloseHandle (hObject=0x1fc) returned 1 [0088.848] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.848] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0088.848] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0088.848] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0088.848] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0088.848] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0088.848] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en") returned 145 [0088.848] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0088.848] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0088.848] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*") returned 147 [0088.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.848] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.848] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.848] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\.") returned 147 [0088.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.848] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.848] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.848] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.848] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.848] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.849] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.849] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\..") returned 148 [0088.849] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.849] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.849] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.849] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.849] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.849] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.849] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.849] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0088.849] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.849] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.849] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.849] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0088.850] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0088.850] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0088.850] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.850] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x269, lpOverlapped=0x0) returned 1 [0088.857] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.857] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x269, lpOverlapped=0x0) returned 1 [0088.857] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.857] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.857] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.857] CloseHandle (hObject=0x200) returned 1 [0088.857] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.protected") returned 169 [0088.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.protected")) returned 1 [0088.858] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.858] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.858] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.859] lstrlenA (lpString="EMPTY") returned 5 [0088.859] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.860] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.860] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.860] CloseHandle (hObject=0x1fc) returned 1 [0088.860] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.860] lstrcmpiW (lpString1="en_GB", lpString2="Windows") returned -1 [0088.860] lstrcmpiW (lpString1="en_GB", lpString2="Program Files") returned -1 [0088.860] lstrcmpiW (lpString1="en_GB", lpString2="Program Files (x86)") returned -1 [0088.860] lstrcmpiW (lpString1="en_GB", lpString2="$Recycle.bin") returned 1 [0088.860] lstrcmpiW (lpString1="en_GB", lpString2="System Volume Information") returned -1 [0088.860] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB") returned 148 [0088.860] lstrcmpW (lpString1="en_GB", lpString2=".") returned 1 [0088.860] lstrcmpW (lpString1="en_GB", lpString2="..") returned 1 [0088.860] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*") returned 150 [0088.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.861] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.861] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.861] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.861] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.861] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.861] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\.") returned 150 [0088.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.861] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.861] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.861] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.861] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.861] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.861] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.861] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\..") returned 151 [0088.861] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.861] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.861] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.861] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.861] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.861] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.861] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.861] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.861] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0088.861] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.861] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.861] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.861] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.862] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0088.862] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.862] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0088.862] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.862] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0088.862] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.862] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x269, lpOverlapped=0x0) returned 1 [0088.873] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.873] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x269, lpOverlapped=0x0) returned 1 [0088.874] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.874] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.874] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.874] CloseHandle (hObject=0x200) returned 1 [0088.874] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.protected") returned 172 [0088.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json.protected")) returned 1 [0088.875] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.875] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.875] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 178 [0088.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.875] lstrlenA (lpString="EMPTY") returned 5 [0088.875] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.876] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.876] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.876] CloseHandle (hObject=0x1fc) returned 1 [0088.876] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.876] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0088.876] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0088.876] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0088.876] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0088.876] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0088.876] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es") returned 145 [0088.876] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0088.876] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0088.876] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*") returned 147 [0088.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.877] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\.") returned 147 [0088.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.877] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.877] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\..") returned 148 [0088.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.877] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.877] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.877] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.877] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.877] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.877] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.877] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0088.877] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.877] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.877] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.877] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0088.878] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0088.878] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0088.878] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.878] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2b8, lpOverlapped=0x0) returned 1 [0088.893] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.893] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2b8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2b8, lpOverlapped=0x0) returned 1 [0088.894] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.894] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.894] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.894] CloseHandle (hObject=0x200) returned 1 [0088.894] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.protected") returned 169 [0088.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.protected")) returned 1 [0088.895] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.895] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.895] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.896] lstrlenA (lpString="EMPTY") returned 5 [0088.896] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.896] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.896] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.897] CloseHandle (hObject=0x1fc) returned 1 [0088.897] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.897] lstrcmpiW (lpString1="es_419", lpString2="Windows") returned -1 [0088.897] lstrcmpiW (lpString1="es_419", lpString2="Program Files") returned -1 [0088.897] lstrcmpiW (lpString1="es_419", lpString2="Program Files (x86)") returned -1 [0088.897] lstrcmpiW (lpString1="es_419", lpString2="$Recycle.bin") returned 1 [0088.897] lstrcmpiW (lpString1="es_419", lpString2="System Volume Information") returned -1 [0088.897] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419") returned 149 [0088.897] lstrcmpW (lpString1="es_419", lpString2=".") returned 1 [0088.897] lstrcmpW (lpString1="es_419", lpString2="..") returned 1 [0088.897] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*") returned 151 [0088.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.897] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.897] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.898] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.898] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.898] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\.") returned 151 [0088.898] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.898] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.898] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.898] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.898] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.898] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.898] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\..") returned 152 [0088.898] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.898] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.898] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.898] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.898] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.898] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.898] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.898] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0088.898] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.898] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.898] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.898] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0088.899] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0088.899] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.899] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0088.899] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.899] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x29b, lpOverlapped=0x0) returned 1 [0088.903] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.903] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x29b, lpOverlapped=0x0) returned 1 [0088.903] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.903] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.903] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.903] CloseHandle (hObject=0x200) returned 1 [0088.903] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.protected") returned 173 [0088.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.protected")) returned 1 [0088.904] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.904] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.904] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 179 [0088.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.905] lstrlenA (lpString="EMPTY") returned 5 [0088.905] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.906] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.906] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.906] CloseHandle (hObject=0x1fc) returned 1 [0088.906] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.906] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0088.906] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0088.906] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0088.906] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0088.906] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0088.906] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et") returned 145 [0088.906] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0088.906] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0088.906] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*") returned 147 [0088.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.907] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.907] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.907] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.907] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.907] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.907] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\.") returned 147 [0088.907] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.907] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.907] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\..") returned 148 [0088.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.907] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.907] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.907] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.907] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.907] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.907] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.907] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0088.907] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.907] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.907] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.907] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0088.908] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0088.908] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0088.909] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.909] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x261, lpOverlapped=0x0) returned 1 [0088.910] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.910] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x261, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x261, lpOverlapped=0x0) returned 1 [0088.910] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.910] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.910] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.910] CloseHandle (hObject=0x200) returned 1 [0088.910] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.protected") returned 169 [0088.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.protected")) returned 1 [0088.911] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.911] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.911] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.912] lstrlenA (lpString="EMPTY") returned 5 [0088.912] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.913] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.913] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.913] CloseHandle (hObject=0x1fc) returned 1 [0088.913] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.913] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0088.913] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0088.913] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0088.913] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0088.913] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0088.913] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi") returned 145 [0088.913] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0088.913] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0088.913] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*") returned 147 [0088.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.914] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.914] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.914] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.914] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.914] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.914] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\.") returned 147 [0088.914] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.914] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.914] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.914] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.914] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.914] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.914] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.914] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\..") returned 148 [0088.914] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.914] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.914] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.914] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.914] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.914] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.914] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.914] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.914] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0088.914] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.914] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.914] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.914] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0088.915] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0088.915] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0088.915] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.915] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2a1, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.934] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2a1, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2a1, lpOverlapped=0x0) returned 1 [0088.934] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.935] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.935] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.935] CloseHandle (hObject=0x200) returned 1 [0088.935] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.protected") returned 169 [0088.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.protected")) returned 1 [0088.936] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.936] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.936] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.937] lstrlenA (lpString="EMPTY") returned 5 [0088.937] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.937] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.937] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.938] CloseHandle (hObject=0x1fc) returned 1 [0088.938] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.938] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0088.938] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0088.938] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0088.938] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0088.938] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0088.938] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil") returned 146 [0088.938] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0088.938] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0088.938] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*") returned 148 [0088.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.938] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.938] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.938] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.938] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.938] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.938] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\.") returned 148 [0088.938] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.939] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.939] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.939] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.939] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.939] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.939] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.939] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\..") returned 149 [0088.939] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.939] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.939] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.939] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.939] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.939] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.939] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.939] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.939] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0088.939] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.939] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.939] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.939] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.940] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0088.940] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.940] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0088.940] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.940] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0088.940] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.940] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2b4, lpOverlapped=0x0) returned 1 [0088.968] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.968] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2b4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2b4, lpOverlapped=0x0) returned 1 [0088.969] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.969] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.969] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.969] CloseHandle (hObject=0x200) returned 1 [0088.969] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.protected") returned 170 [0088.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.protected")) returned 1 [0088.970] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.970] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.970] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 176 [0088.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.971] lstrlenA (lpString="EMPTY") returned 5 [0088.971] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.972] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.972] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.972] CloseHandle (hObject=0x1fc) returned 1 [0088.972] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.972] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0088.972] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0088.972] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0088.972] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0088.972] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0088.973] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr") returned 145 [0088.973] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0088.973] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0088.973] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*") returned 147 [0088.973] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.973] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.973] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.973] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.973] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.973] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.973] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\.") returned 147 [0088.973] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.973] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.973] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.973] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.973] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.973] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.973] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.973] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\..") returned 148 [0088.973] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.973] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.973] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.973] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.973] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.974] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.974] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.974] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.974] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0088.974] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.974] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.974] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.974] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.974] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0088.974] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.974] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0088.974] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.974] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0088.974] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.974] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2c4, lpOverlapped=0x0) returned 1 [0088.976] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.976] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2c4, lpOverlapped=0x0) returned 1 [0088.976] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.976] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.976] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.976] CloseHandle (hObject=0x200) returned 1 [0088.976] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.protected") returned 169 [0088.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.protected")) returned 1 [0088.977] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.977] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.977] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.978] lstrlenA (lpString="EMPTY") returned 5 [0088.978] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.979] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.979] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.979] CloseHandle (hObject=0x1fc) returned 1 [0088.979] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.979] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0088.979] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0088.979] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0088.979] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0088.979] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0088.979] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi") returned 145 [0088.979] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0088.979] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0088.979] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*") returned 147 [0088.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.980] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.980] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.980] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.980] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.980] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.980] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\.") returned 147 [0088.980] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.980] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.980] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\..") returned 148 [0088.980] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.980] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.980] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.980] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.980] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.980] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.980] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.980] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.980] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0088.980] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.980] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.980] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.980] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0088.981] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0088.981] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.982] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0088.982] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.982] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x3ad, lpOverlapped=0x0) returned 1 [0088.983] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffc53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.983] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x3ad, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x3ad, lpOverlapped=0x0) returned 1 [0088.983] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.983] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0088.983] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0088.983] CloseHandle (hObject=0x200) returned 1 [0088.984] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.protected") returned 169 [0088.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.protected")) returned 1 [0088.984] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0088.984] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0088.984] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0088.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0088.985] lstrlenA (lpString="EMPTY") returned 5 [0088.985] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0088.986] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0088.986] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.986] CloseHandle (hObject=0x1fc) returned 1 [0088.986] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0088.986] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0088.986] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0088.986] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0088.986] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0088.986] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0088.986] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr") returned 145 [0088.986] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0088.986] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0088.986] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*") returned 147 [0088.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0088.987] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.987] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0088.987] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0088.987] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.987] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.987] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\.") returned 147 [0088.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.987] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.987] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.987] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0088.987] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0088.987] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.987] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.987] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\..") returned 148 [0088.987] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.987] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.987] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0088.987] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0088.987] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0088.987] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0088.987] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0088.987] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0088.987] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0088.987] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0088.987] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0088.987] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0088.987] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0088.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0088.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0088.988] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0088.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0088.988] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0088.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0088.988] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0088.988] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x279, lpOverlapped=0x0) returned 1 [0089.012] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.012] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x279, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x279, lpOverlapped=0x0) returned 1 [0089.012] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.012] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.013] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.013] CloseHandle (hObject=0x200) returned 1 [0089.013] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.protected") returned 169 [0089.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.protected")) returned 1 [0089.014] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.014] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.014] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.015] lstrlenA (lpString="EMPTY") returned 5 [0089.015] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.016] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.016] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.017] CloseHandle (hObject=0x1fc) returned 1 [0089.018] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.018] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0089.018] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0089.018] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0089.018] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0089.018] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0089.018] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu") returned 145 [0089.018] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0089.018] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0089.018] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*") returned 147 [0089.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.019] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\.") returned 147 [0089.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.019] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.019] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\..") returned 148 [0089.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.019] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.019] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.019] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.019] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.019] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.019] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.019] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0089.019] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.019] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.019] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.019] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0089.021] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0089.021] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.021] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0089.021] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.021] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2c6, lpOverlapped=0x0) returned 1 [0089.022] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.022] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2c6, lpOverlapped=0x0) returned 1 [0089.023] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.023] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.023] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.023] CloseHandle (hObject=0x200) returned 1 [0089.023] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.protected") returned 169 [0089.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.protected")) returned 1 [0089.024] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.024] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.024] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.024] lstrlenA (lpString="EMPTY") returned 5 [0089.024] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.025] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.025] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.026] CloseHandle (hObject=0x1fc) returned 1 [0089.026] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.026] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0089.026] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0089.026] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0089.026] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0089.026] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0089.026] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id") returned 145 [0089.026] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0089.026] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0089.026] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*") returned 147 [0089.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.026] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.026] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.026] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\.") returned 147 [0089.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.026] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.026] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.026] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.027] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.027] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.027] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\..") returned 148 [0089.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.027] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.027] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.027] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.027] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.027] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.027] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.027] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0089.027] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.027] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.027] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.027] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0089.028] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0089.028] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0089.028] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.028] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x269, lpOverlapped=0x0) returned 1 [0089.045] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.046] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x269, lpOverlapped=0x0) returned 1 [0089.046] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.046] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.046] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.046] CloseHandle (hObject=0x200) returned 1 [0089.046] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.protected") returned 169 [0089.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.protected")) returned 1 [0089.047] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.047] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.047] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.047] lstrlenA (lpString="EMPTY") returned 5 [0089.047] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.048] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.048] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.048] CloseHandle (hObject=0x1fc) returned 1 [0089.048] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.048] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0089.048] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0089.048] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0089.048] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0089.048] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0089.048] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it") returned 145 [0089.048] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0089.048] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0089.048] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*") returned 147 [0089.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.049] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.049] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.049] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\.") returned 147 [0089.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.049] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.049] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.049] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\..") returned 148 [0089.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.049] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.049] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.049] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.049] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.049] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.049] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.049] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0089.049] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.049] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.049] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.049] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0089.050] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0089.050] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.050] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0089.050] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.050] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x26e, lpOverlapped=0x0) returned 1 [0089.051] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.051] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x26e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x26e, lpOverlapped=0x0) returned 1 [0089.052] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.052] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.052] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.052] CloseHandle (hObject=0x200) returned 1 [0089.052] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.protected") returned 169 [0089.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.protected")) returned 1 [0089.053] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.053] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.053] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.053] lstrlenA (lpString="EMPTY") returned 5 [0089.053] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.054] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.054] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.054] CloseHandle (hObject=0x1fc) returned 1 [0089.054] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.054] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0089.054] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0089.054] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0089.054] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0089.054] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0089.054] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja") returned 145 [0089.054] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0089.054] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0089.054] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*") returned 147 [0089.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.055] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.055] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.055] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.055] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.055] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.055] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\.") returned 147 [0089.055] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.055] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.055] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.055] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.055] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.055] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.055] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.055] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\..") returned 148 [0089.055] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.055] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.055] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.055] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.055] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.055] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.055] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.055] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.055] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0089.055] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.055] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.055] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.055] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0089.056] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0089.056] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.056] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0089.056] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.056] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x30a, lpOverlapped=0x0) returned 1 [0089.073] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffcf6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.073] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x30a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x30a, lpOverlapped=0x0) returned 1 [0089.073] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.073] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.074] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.074] CloseHandle (hObject=0x200) returned 1 [0089.074] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.protected") returned 169 [0089.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.protected")) returned 1 [0089.075] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.075] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.075] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.075] lstrlenA (lpString="EMPTY") returned 5 [0089.075] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.076] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.076] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.076] CloseHandle (hObject=0x1fc) returned 1 [0089.076] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.076] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0089.076] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0089.076] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0089.076] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0089.076] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0089.076] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko") returned 145 [0089.076] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0089.076] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0089.076] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*") returned 147 [0089.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.077] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.077] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.077] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\.") returned 147 [0089.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.077] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.077] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.077] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.077] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.077] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.077] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.077] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\..") returned 148 [0089.077] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.077] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.077] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.077] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.077] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.077] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.077] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.077] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0089.077] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.077] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.077] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.077] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0089.078] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0089.078] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0089.078] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.078] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x29d, lpOverlapped=0x0) returned 1 [0089.086] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.086] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x29d, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x29d, lpOverlapped=0x0) returned 1 [0089.086] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.086] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.086] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.086] CloseHandle (hObject=0x200) returned 1 [0089.086] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.protected") returned 169 [0089.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.protected")) returned 1 [0089.087] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.087] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.087] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.088] lstrlenA (lpString="EMPTY") returned 5 [0089.088] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.089] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.089] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.090] CloseHandle (hObject=0x1fc) returned 1 [0089.090] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.090] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0089.090] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0089.090] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0089.090] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0089.090] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0089.090] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt") returned 145 [0089.090] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0089.090] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0089.090] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*") returned 147 [0089.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.090] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.090] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.090] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.090] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.090] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.090] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\.") returned 147 [0089.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.090] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.091] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\..") returned 148 [0089.091] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.091] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.091] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.091] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.091] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.091] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.091] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.091] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0089.091] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.091] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.091] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.091] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0089.092] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0089.092] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0089.092] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.092] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2ae, lpOverlapped=0x0) returned 1 [0089.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.093] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2ae, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2ae, lpOverlapped=0x0) returned 1 [0089.093] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.093] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.093] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.094] CloseHandle (hObject=0x200) returned 1 [0089.094] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.protected") returned 169 [0089.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.protected")) returned 1 [0089.094] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.094] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.094] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.095] lstrlenA (lpString="EMPTY") returned 5 [0089.095] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.096] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.096] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.096] CloseHandle (hObject=0x1fc) returned 1 [0089.096] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.096] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0089.096] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0089.096] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0089.096] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0089.096] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0089.096] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv") returned 145 [0089.096] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0089.096] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0089.096] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*") returned 147 [0089.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.096] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.096] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.096] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\.") returned 147 [0089.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.097] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\..") returned 148 [0089.097] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.097] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.097] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.097] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.097] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.097] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.097] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.097] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0089.097] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.097] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.097] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.097] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.098] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0089.098] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.098] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0089.098] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.098] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0089.098] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.099] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2bb, lpOverlapped=0x0) returned 1 [0089.100] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.100] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2bb, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2bb, lpOverlapped=0x0) returned 1 [0089.100] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.100] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.100] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.100] CloseHandle (hObject=0x200) returned 1 [0089.100] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.protected") returned 169 [0089.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.protected")) returned 1 [0089.101] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.101] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.101] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.102] lstrlenA (lpString="EMPTY") returned 5 [0089.102] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.103] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.103] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.103] CloseHandle (hObject=0x1fc) returned 1 [0089.103] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.103] lstrcmpiW (lpString1="nb", lpString2="Windows") returned -1 [0089.103] lstrcmpiW (lpString1="nb", lpString2="Program Files") returned -1 [0089.103] lstrcmpiW (lpString1="nb", lpString2="Program Files (x86)") returned -1 [0089.103] lstrcmpiW (lpString1="nb", lpString2="$Recycle.bin") returned 1 [0089.103] lstrcmpiW (lpString1="nb", lpString2="System Volume Information") returned -1 [0089.103] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb") returned 145 [0089.103] lstrcmpW (lpString1="nb", lpString2=".") returned 1 [0089.103] lstrcmpW (lpString1="nb", lpString2="..") returned 1 [0089.103] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*") returned 147 [0089.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.103] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.103] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.103] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.103] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.103] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\.") returned 147 [0089.104] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.104] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.104] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.104] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.104] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.104] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\..") returned 148 [0089.104] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.104] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.104] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.104] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.104] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.104] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.104] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0089.104] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.104] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.104] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.104] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0089.105] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0089.105] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0089.105] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.105] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x284, lpOverlapped=0x0) returned 1 [0089.106] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.106] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x284, lpOverlapped=0x0) returned 1 [0089.106] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.106] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.106] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.107] CloseHandle (hObject=0x200) returned 1 [0089.107] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.protected") returned 169 [0089.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.protected")) returned 1 [0089.107] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.107] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.107] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.108] lstrlenA (lpString="EMPTY") returned 5 [0089.108] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.109] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.109] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.109] CloseHandle (hObject=0x1fc) returned 1 [0089.109] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.109] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0089.109] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0089.109] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0089.109] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0089.109] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0089.109] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl") returned 145 [0089.109] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0089.109] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0089.109] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*") returned 147 [0089.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.110] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.110] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.110] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.110] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.110] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.110] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\.") returned 147 [0089.110] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.110] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.110] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.110] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.110] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.110] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.110] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.110] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\..") returned 148 [0089.110] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.110] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.110] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.110] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.110] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.110] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.110] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.110] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.110] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0089.110] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.110] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.110] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.110] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0089.111] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0089.111] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0089.111] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.111] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x282, lpOverlapped=0x0) returned 1 [0089.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.113] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x282, lpOverlapped=0x0) returned 1 [0089.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.113] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.113] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.113] CloseHandle (hObject=0x200) returned 1 [0089.113] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.protected") returned 169 [0089.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.protected")) returned 1 [0089.114] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.114] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.114] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.115] lstrlenA (lpString="EMPTY") returned 5 [0089.115] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.115] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.115] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.116] CloseHandle (hObject=0x1fc) returned 1 [0089.116] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.116] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0089.116] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0089.116] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0089.116] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0089.116] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0089.116] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl") returned 145 [0089.116] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0089.116] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0089.116] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*") returned 147 [0089.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.116] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.116] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.116] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.116] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.116] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.116] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\.") returned 147 [0089.116] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.117] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.117] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.117] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.117] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.117] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.117] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.117] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\..") returned 148 [0089.117] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.117] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.117] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.117] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.117] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.117] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.117] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0089.117] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.117] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.117] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.117] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0089.118] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0089.118] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0089.118] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.118] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x29a, lpOverlapped=0x0) returned 1 [0089.168] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.168] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x29a, lpOverlapped=0x0) returned 1 [0089.168] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.168] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.168] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.168] CloseHandle (hObject=0x200) returned 1 [0089.169] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.protected") returned 169 [0089.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.protected")) returned 1 [0089.169] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.169] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.170] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.170] lstrlenA (lpString="EMPTY") returned 5 [0089.170] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.171] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.171] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.171] CloseHandle (hObject=0x1fc) returned 1 [0089.171] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.171] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0089.171] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0089.171] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0089.171] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0089.171] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0089.171] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR") returned 148 [0089.171] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0089.171] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0089.171] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*") returned 150 [0089.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.172] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.172] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.172] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.172] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.172] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.172] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\.") returned 150 [0089.172] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.172] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.172] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.172] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.172] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.172] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.172] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.172] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\..") returned 151 [0089.172] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.172] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.172] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.172] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.172] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.172] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.172] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.172] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.172] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0089.172] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.172] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.172] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.172] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0089.173] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0089.174] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0089.174] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.174] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x29b, lpOverlapped=0x0) returned 1 [0089.193] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.193] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x29b, lpOverlapped=0x0) returned 1 [0089.194] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.194] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.194] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.194] CloseHandle (hObject=0x200) returned 1 [0089.194] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.protected") returned 172 [0089.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0089.195] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.195] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.195] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 178 [0089.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.196] lstrlenA (lpString="EMPTY") returned 5 [0089.196] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.197] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.197] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.197] CloseHandle (hObject=0x1fc) returned 1 [0089.197] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.197] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0089.197] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0089.197] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0089.197] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0089.197] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0089.197] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT") returned 148 [0089.197] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0089.197] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0089.197] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*") returned 150 [0089.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.198] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\.") returned 150 [0089.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.198] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.198] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\..") returned 151 [0089.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.198] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.198] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.198] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.198] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.198] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.198] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.198] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0089.198] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.198] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.198] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.198] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0089.199] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0089.199] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0089.199] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.199] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x295, lpOverlapped=0x0) returned 1 [0089.200] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd6b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.200] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x295, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x295, lpOverlapped=0x0) returned 1 [0089.201] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.201] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.201] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.201] CloseHandle (hObject=0x200) returned 1 [0089.201] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.protected") returned 172 [0089.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0089.202] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.202] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.202] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 178 [0089.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.202] lstrlenA (lpString="EMPTY") returned 5 [0089.202] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.203] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.203] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.203] CloseHandle (hObject=0x1fc) returned 1 [0089.203] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.203] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0089.203] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0089.203] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0089.203] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0089.203] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0089.204] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro") returned 145 [0089.204] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0089.204] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0089.204] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*") returned 147 [0089.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.204] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\.") returned 147 [0089.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.204] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.204] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.204] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.204] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.204] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.204] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.204] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\..") returned 148 [0089.204] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.204] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.204] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.204] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.204] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.204] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.205] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.205] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.205] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0089.205] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.205] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.205] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.205] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0089.206] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0089.206] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0089.206] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.206] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x29c, lpOverlapped=0x0) returned 1 [0089.207] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.207] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x29c, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x29c, lpOverlapped=0x0) returned 1 [0089.208] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.208] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.208] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.208] CloseHandle (hObject=0x200) returned 1 [0089.208] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.protected") returned 169 [0089.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.protected")) returned 1 [0089.209] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.209] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.209] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.210] lstrlenA (lpString="EMPTY") returned 5 [0089.210] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.211] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.211] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.211] CloseHandle (hObject=0x1fc) returned 1 [0089.211] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.211] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0089.211] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0089.211] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0089.211] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0089.211] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0089.211] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru") returned 145 [0089.211] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0089.211] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0089.211] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*") returned 147 [0089.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.212] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.212] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.212] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.212] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.212] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\.") returned 147 [0089.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.212] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.212] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.212] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.212] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.212] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.212] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.212] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\..") returned 148 [0089.212] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.212] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.212] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.212] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.212] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.212] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.212] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.212] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.212] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0089.212] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.212] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.212] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.212] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0089.213] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0089.213] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0089.213] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.213] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x30f, lpOverlapped=0x0) returned 1 [0089.214] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffcf1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.215] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x30f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x30f, lpOverlapped=0x0) returned 1 [0089.215] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.215] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.215] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.215] CloseHandle (hObject=0x200) returned 1 [0089.215] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.protected") returned 169 [0089.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.protected")) returned 1 [0089.216] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.216] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.216] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.217] lstrlenA (lpString="EMPTY") returned 5 [0089.217] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.218] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.218] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.218] CloseHandle (hObject=0x1fc) returned 1 [0089.218] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.218] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0089.218] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0089.218] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0089.218] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0089.218] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0089.218] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk") returned 145 [0089.218] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0089.218] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0089.218] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*") returned 147 [0089.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.219] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.219] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.219] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.219] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.219] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\.") returned 147 [0089.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.219] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.219] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.219] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.219] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.219] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.219] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.219] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\..") returned 148 [0089.219] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.219] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.219] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.219] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.219] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.219] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.219] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.219] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0089.219] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.219] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.219] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.220] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0089.221] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0089.221] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0089.221] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.221] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x29f, lpOverlapped=0x0) returned 1 [0089.222] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.222] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x29f, lpOverlapped=0x0) returned 1 [0089.222] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.222] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.223] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.223] CloseHandle (hObject=0x200) returned 1 [0089.223] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.protected") returned 169 [0089.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.protected")) returned 1 [0089.224] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.224] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.224] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.224] lstrlenA (lpString="EMPTY") returned 5 [0089.224] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.225] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.225] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.225] CloseHandle (hObject=0x1fc) returned 1 [0089.226] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.226] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0089.226] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0089.226] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0089.226] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0089.226] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0089.226] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl") returned 145 [0089.226] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0089.226] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0089.226] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*") returned 147 [0089.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.226] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.226] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.226] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\.") returned 147 [0089.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.226] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.226] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.226] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.226] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.226] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.226] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.226] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\..") returned 148 [0089.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.226] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.227] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.227] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.227] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.227] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.227] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.227] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0089.227] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.227] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.227] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.227] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0089.227] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0089.227] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0089.227] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.227] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x282, lpOverlapped=0x0) returned 1 [0089.232] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.232] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x282, lpOverlapped=0x0) returned 1 [0089.232] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.232] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.232] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.232] CloseHandle (hObject=0x200) returned 1 [0089.232] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.protected") returned 169 [0089.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.protected")) returned 1 [0089.233] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.233] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.233] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.234] lstrlenA (lpString="EMPTY") returned 5 [0089.234] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.235] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.235] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.235] CloseHandle (hObject=0x1fc) returned 1 [0089.235] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.235] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0089.235] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0089.235] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0089.235] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0089.235] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0089.235] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr") returned 145 [0089.235] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0089.235] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0089.235] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*") returned 147 [0089.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.236] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.236] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.236] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\.") returned 147 [0089.236] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.236] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.236] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.236] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.236] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.236] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.236] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.236] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\..") returned 148 [0089.236] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.236] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.236] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.236] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.236] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.236] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.236] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.236] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.236] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0089.236] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.236] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.236] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.236] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.237] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0089.237] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.237] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0089.237] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.237] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0089.237] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.237] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x32c, lpOverlapped=0x0) returned 1 [0089.239] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffcd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.239] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x32c, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x32c, lpOverlapped=0x0) returned 1 [0089.239] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.239] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.239] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.239] CloseHandle (hObject=0x200) returned 1 [0089.239] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.protected") returned 169 [0089.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.protected")) returned 1 [0089.241] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.241] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.241] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.242] lstrlenA (lpString="EMPTY") returned 5 [0089.242] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.242] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.242] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.243] CloseHandle (hObject=0x1fc) returned 1 [0089.243] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.243] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0089.243] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0089.243] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0089.243] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0089.243] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0089.243] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv") returned 145 [0089.243] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0089.243] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0089.243] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*") returned 147 [0089.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.243] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.243] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.243] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\.") returned 147 [0089.244] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.244] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.244] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.244] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.244] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.244] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.244] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.244] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\..") returned 148 [0089.244] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.244] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.244] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.244] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.244] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.244] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.244] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.244] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0089.244] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.244] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.244] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.244] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0089.245] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0089.245] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0089.245] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.245] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x289, lpOverlapped=0x0) returned 1 [0089.246] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.246] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x289, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x289, lpOverlapped=0x0) returned 1 [0089.246] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.246] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.247] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.247] CloseHandle (hObject=0x200) returned 1 [0089.247] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.protected") returned 169 [0089.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.protected")) returned 1 [0089.248] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.248] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.248] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.248] lstrlenA (lpString="EMPTY") returned 5 [0089.248] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.249] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.249] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.249] CloseHandle (hObject=0x1fc) returned 1 [0089.249] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.249] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0089.249] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0089.249] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0089.249] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0089.249] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0089.249] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th") returned 145 [0089.249] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0089.250] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0089.250] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*") returned 147 [0089.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.250] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.250] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.250] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.250] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.250] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.250] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\.") returned 147 [0089.250] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.250] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.250] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.250] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.250] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.250] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.250] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.250] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\..") returned 148 [0089.250] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.250] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.250] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.250] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.250] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.250] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.250] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.250] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.250] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0089.250] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.250] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.251] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.251] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0089.252] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0089.252] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0089.252] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.252] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x44b, lpOverlapped=0x0) returned 1 [0089.253] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffbb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.253] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x44b, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x44b, lpOverlapped=0x0) returned 1 [0089.253] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.253] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.253] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.253] CloseHandle (hObject=0x200) returned 1 [0089.254] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.protected") returned 169 [0089.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.protected")) returned 1 [0089.254] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.254] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.254] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.255] lstrlenA (lpString="EMPTY") returned 5 [0089.255] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.255] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.255] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.255] CloseHandle (hObject=0x1fc) returned 1 [0089.255] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.255] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0089.255] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0089.256] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0089.256] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0089.256] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0089.256] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr") returned 145 [0089.256] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0089.256] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0089.256] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*") returned 147 [0089.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.256] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\.") returned 147 [0089.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.256] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.256] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\..") returned 148 [0089.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.256] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.256] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.256] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.256] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.256] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.256] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.256] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0089.256] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.256] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.256] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.257] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0089.257] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0089.257] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0089.257] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.257] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x28a, lpOverlapped=0x0) returned 1 [0089.258] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.258] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x28a, lpOverlapped=0x0) returned 1 [0089.258] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.258] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.258] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.258] CloseHandle (hObject=0x200) returned 1 [0089.258] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.protected") returned 169 [0089.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.protected")) returned 1 [0089.259] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.259] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.259] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.259] lstrlenA (lpString="EMPTY") returned 5 [0089.259] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.260] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.260] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.260] CloseHandle (hObject=0x1fc) returned 1 [0089.260] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.260] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0089.260] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0089.260] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0089.260] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0089.260] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0089.260] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk") returned 145 [0089.260] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0089.260] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0089.260] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*") returned 147 [0089.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.261] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.261] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.261] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.261] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.261] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.261] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\.") returned 147 [0089.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.261] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.261] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.261] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.261] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.261] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.261] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.261] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\..") returned 148 [0089.261] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.261] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.261] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.261] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.261] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.261] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.261] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.261] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0089.261] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.261] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.261] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.261] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0089.262] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0089.262] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0089.262] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.263] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x315, lpOverlapped=0x0) returned 1 [0089.272] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffceb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.272] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x315, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x315, lpOverlapped=0x0) returned 1 [0089.272] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.272] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.272] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.272] CloseHandle (hObject=0x200) returned 1 [0089.272] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.protected") returned 169 [0089.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.protected")) returned 1 [0089.273] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.273] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.273] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.274] lstrlenA (lpString="EMPTY") returned 5 [0089.274] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.274] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.274] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.275] CloseHandle (hObject=0x1fc) returned 1 [0089.275] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.275] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0089.275] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0089.275] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0089.275] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0089.275] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0089.275] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi") returned 145 [0089.275] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0089.275] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0089.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*") returned 147 [0089.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.275] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.275] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\.") returned 147 [0089.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.275] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\..") returned 148 [0089.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.275] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.275] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.275] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.275] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.275] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.275] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.275] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0089.275] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.275] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.276] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.276] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0089.276] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0089.276] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0089.276] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.276] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2d0, lpOverlapped=0x0) returned 1 [0089.288] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.289] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2d0, lpOverlapped=0x0) returned 1 [0089.289] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.289] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.289] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.289] CloseHandle (hObject=0x200) returned 1 [0089.289] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.protected") returned 169 [0089.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.protected")) returned 1 [0089.290] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.290] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.290] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 175 [0089.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.291] lstrlenA (lpString="EMPTY") returned 5 [0089.291] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.292] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.292] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.292] CloseHandle (hObject=0x1fc) returned 1 [0089.292] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.292] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0089.292] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0089.292] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0089.292] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0089.292] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0089.292] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN") returned 148 [0089.292] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0089.292] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0089.292] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*") returned 150 [0089.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.293] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.293] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.293] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.293] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.293] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.293] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\.") returned 150 [0089.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.293] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.293] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.293] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.293] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.293] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.293] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.293] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\..") returned 151 [0089.293] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.293] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.293] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.293] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.293] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.293] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.293] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.293] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0089.293] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.293] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.293] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.293] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.294] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0089.294] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.294] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0089.294] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.294] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0089.294] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.294] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x253, lpOverlapped=0x0) returned 1 [0089.322] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffdad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.322] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x253, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x253, lpOverlapped=0x0) returned 1 [0089.322] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.322] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.322] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.322] CloseHandle (hObject=0x200) returned 1 [0089.322] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.protected") returned 172 [0089.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0089.323] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.323] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.323] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 178 [0089.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.324] lstrlenA (lpString="EMPTY") returned 5 [0089.324] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.325] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.325] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.325] CloseHandle (hObject=0x1fc) returned 1 [0089.325] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.325] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0089.325] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0089.325] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0089.325] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0089.325] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0089.325] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW") returned 148 [0089.325] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0089.325] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0089.325] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*") returned 150 [0089.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.325] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.325] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.326] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.326] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.326] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.326] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\.") returned 150 [0089.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.326] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.326] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.326] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.326] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.326] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.326] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.326] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\..") returned 151 [0089.326] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.326] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.326] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.326] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.326] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.326] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.326] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.326] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0089.326] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.326] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.326] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.326] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.326] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0089.327] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0089.327] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0089.327] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.327] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x280, lpOverlapped=0x0) returned 1 [0089.328] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.328] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x280, lpOverlapped=0x0) returned 1 [0089.328] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.328] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.328] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.328] CloseHandle (hObject=0x200) returned 1 [0089.328] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.protected") returned 172 [0089.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0089.329] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.329] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.329] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 178 [0089.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.329] lstrlenA (lpString="EMPTY") returned 5 [0089.329] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.330] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.330] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.330] CloseHandle (hObject=0x1fc) returned 1 [0089.330] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0089.330] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0089.330] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0089.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.330] lstrlenA (lpString="EMPTY") returned 5 [0089.331] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0089.331] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.331] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0089.331] CloseHandle (hObject=0x1f8) returned 1 [0089.331] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.331] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0089.331] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0089.331] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0089.331] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0089.331] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0089.332] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata") returned 143 [0089.332] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0089.332] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0089.332] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*") returned 145 [0089.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0089.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.332] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.332] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.332] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\.") returned 145 [0089.332] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.332] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.332] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.332] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.332] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.332] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.332] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.332] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\..") returned 146 [0089.332] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.332] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.332] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0089.332] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0089.332] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0089.332] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0089.332] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0089.332] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0089.332] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0089.332] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.332] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0089.332] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0089.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0089.333] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0089.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0089.333] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0089.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0089.333] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0089.333] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0089.335] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.335] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0089.336] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.336] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0089.336] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0089.336] CloseHandle (hObject=0x1fc) returned 1 [0089.336] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.protected") returned 176 [0089.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.protected")) returned 1 [0089.337] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0089.337] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0089.337] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 173 [0089.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.337] lstrlenA (lpString="EMPTY") returned 5 [0089.337] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0089.338] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.338] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0089.338] CloseHandle (hObject=0x1f8) returned 1 [0089.338] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0089.338] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0089.340] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 163 [0089.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0089.340] lstrlenA (lpString="EMPTY") returned 5 [0089.340] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0089.341] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.341] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.341] CloseHandle (hObject=0x1f4) returned 1 [0089.342] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0089.342] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0089.342] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0089.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0089.342] lstrlenA (lpString="EMPTY") returned 5 [0089.342] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0089.343] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.343] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0089.343] CloseHandle (hObject=0x1f0) returned 1 [0089.343] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0089.343] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Windows") returned -1 [0089.344] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Program Files") returned -1 [0089.344] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="Program Files (x86)") returned -1 [0089.344] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="$Recycle.bin") returned 1 [0089.344] lstrcmpiW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="System Volume Information") returned -1 [0089.344] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia") returned 123 [0089.344] lstrcmpW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2=".") returned 1 [0089.344] lstrcmpW (lpString1="pjkljhegncpnkpknbcohdijeoejaedia", lpString2="..") returned 1 [0089.344] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*") returned 125 [0089.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0089.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.344] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.344] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.344] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\.") returned 125 [0089.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.344] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0089.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.344] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.344] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.344] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\..") returned 126 [0089.344] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.344] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0089.344] lstrcmpiW (lpString1="8.1_0", lpString2="Windows") returned -1 [0089.344] lstrcmpiW (lpString1="8.1_0", lpString2="Program Files") returned -1 [0089.344] lstrcmpiW (lpString1="8.1_0", lpString2="Program Files (x86)") returned -1 [0089.344] lstrcmpiW (lpString1="8.1_0", lpString2="$Recycle.bin") returned 1 [0089.344] lstrcmpiW (lpString1="8.1_0", lpString2="System Volume Information") returned -1 [0089.344] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0") returned 129 [0089.344] lstrcmpW (lpString1="8.1_0", lpString2=".") returned 1 [0089.345] lstrcmpW (lpString1="8.1_0", lpString2="..") returned 1 [0089.345] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*") returned 131 [0089.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0089.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.368] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.368] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.368] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\.") returned 131 [0089.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.368] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.368] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.368] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.368] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.368] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.368] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.368] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\..") returned 132 [0089.368] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.368] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.368] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.368] lstrcmpiW (lpString1="128.png", lpString2="Windows") returned -1 [0089.368] lstrcmpiW (lpString1="128.png", lpString2="Program Files") returned -1 [0089.368] lstrcmpiW (lpString1="128.png", lpString2="Program Files (x86)") returned -1 [0089.369] lstrcmpiW (lpString1="128.png", lpString2="$Recycle.bin") returned 1 [0089.369] lstrcmpiW (lpString1="128.png", lpString2="System Volume Information") returned -1 [0089.369] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0089.369] StrStrIW (lpFirst="128.png", lpSrch=".protected") returned 0x0 [0089.369] lstrcmpW (lpString1="128.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.369] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.369] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0089.370] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0089.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0089.370] StrStrW (lpFirst="128.png", lpSrch=".rar") returned 0x0 [0089.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0089.370] StrStrW (lpFirst="128.png", lpSrch=".zip") returned 0x0 [0089.370] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x180f, lpOverlapped=0x0) returned 1 [0089.387] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffe7f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.387] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x180f, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x180f, lpOverlapped=0x0) returned 1 [0089.387] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.387] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.387] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.387] CloseHandle (hObject=0x1f8) returned 1 [0089.388] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.protected") returned 147 [0089.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.protected")) returned 1 [0089.388] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.388] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0089.388] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0089.389] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0089.389] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0089.389] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0089.389] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0089.389] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0089.389] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.389] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.389] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0089.389] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0089.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0089.389] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0089.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0089.389] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0089.389] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x310, lpOverlapped=0x0) returned 1 [0089.402] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffffcf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.402] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x310, lpOverlapped=0x0) returned 1 [0089.403] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.403] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.403] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.403] CloseHandle (hObject=0x1f8) returned 1 [0089.404] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.protected") returned 153 [0089.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.protected")) returned 1 [0089.405] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.405] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0089.405] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0089.405] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0089.405] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0089.405] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0089.405] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales") returned 138 [0089.405] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0089.405] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0089.405] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*") returned 140 [0089.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0089.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.407] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\.") returned 140 [0089.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.407] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.407] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.408] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.408] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\..") returned 141 [0089.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.408] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.408] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0089.408] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0089.408] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0089.408] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0089.408] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0089.408] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar") returned 141 [0089.408] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0089.408] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0089.408] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*") returned 143 [0089.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.409] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.409] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.409] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.409] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\.") returned 143 [0089.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.409] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.409] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.409] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.409] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.409] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.409] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.409] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\..") returned 144 [0089.409] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.409] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.409] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.409] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.409] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.409] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.409] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.409] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.409] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0089.409] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.409] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.409] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.409] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0089.410] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0089.410] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0089.410] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.410] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x138, lpOverlapped=0x0) returned 1 [0089.411] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffec8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.411] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x138, lpOverlapped=0x0) returned 1 [0089.411] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.411] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.411] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.411] CloseHandle (hObject=0x200) returned 1 [0089.412] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.protected") returned 165 [0089.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.protected")) returned 1 [0089.412] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.412] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.412] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.413] lstrlenA (lpString="EMPTY") returned 5 [0089.413] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.413] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.413] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.414] CloseHandle (hObject=0x1fc) returned 1 [0089.414] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.414] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0089.414] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0089.414] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0089.414] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0089.414] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0089.414] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg") returned 141 [0089.414] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0089.414] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0089.414] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*") returned 143 [0089.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.414] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.414] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.414] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.414] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.414] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.414] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\.") returned 143 [0089.414] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.414] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.414] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.414] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.414] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.414] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.414] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.414] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\..") returned 144 [0089.414] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.414] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.414] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.415] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.415] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.415] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.415] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.415] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.415] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0089.415] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.415] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.415] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.415] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0089.415] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0089.415] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0089.415] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.415] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x124, lpOverlapped=0x0) returned 1 [0089.416] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffedc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.416] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x124, lpOverlapped=0x0) returned 1 [0089.416] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.416] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.416] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.416] CloseHandle (hObject=0x200) returned 1 [0089.416] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.protected") returned 165 [0089.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.protected")) returned 1 [0089.417] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.417] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.417] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.417] lstrlenA (lpString="EMPTY") returned 5 [0089.417] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.418] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.418] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.418] CloseHandle (hObject=0x1fc) returned 1 [0089.418] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.418] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0089.418] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0089.418] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0089.418] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0089.419] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0089.419] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca") returned 141 [0089.419] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0089.419] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0089.419] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*") returned 143 [0089.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.419] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.419] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.419] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.419] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\.") returned 143 [0089.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.419] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.420] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\..") returned 144 [0089.420] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.420] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.420] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.420] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.420] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.420] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.420] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.420] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0089.420] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.420] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.420] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.420] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.421] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0089.421] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.421] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0089.421] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.421] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0089.421] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.421] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0089.422] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.422] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfe, lpOverlapped=0x0) returned 1 [0089.422] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.422] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.422] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.422] CloseHandle (hObject=0x200) returned 1 [0089.423] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.protected") returned 165 [0089.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.protected")) returned 1 [0089.423] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.423] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.423] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.424] lstrlenA (lpString="EMPTY") returned 5 [0089.424] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.424] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.424] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.425] CloseHandle (hObject=0x1fc) returned 1 [0089.425] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.425] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0089.425] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0089.425] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0089.425] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0089.425] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0089.425] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs") returned 141 [0089.425] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0089.425] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0089.425] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*") returned 143 [0089.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.426] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.426] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.426] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.426] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.426] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\.") returned 143 [0089.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.426] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.426] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.426] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.426] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.426] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.426] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.426] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\..") returned 144 [0089.426] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.426] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.426] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.426] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.426] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.426] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.427] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.427] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.427] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0089.427] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.427] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.427] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.427] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0089.428] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0089.428] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0089.428] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.428] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0089.428] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.428] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0089.429] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.429] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.429] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.429] CloseHandle (hObject=0x200) returned 1 [0089.429] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.protected") returned 165 [0089.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.protected")) returned 1 [0089.430] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.430] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.430] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.430] lstrlenA (lpString="EMPTY") returned 5 [0089.430] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.431] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.431] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.431] CloseHandle (hObject=0x1fc) returned 1 [0089.431] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.431] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0089.431] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0089.431] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0089.431] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0089.431] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0089.431] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da") returned 141 [0089.431] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0089.431] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0089.431] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*") returned 143 [0089.431] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.432] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.432] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.432] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.432] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.432] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.432] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\.") returned 143 [0089.432] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.432] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.432] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.432] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.432] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.432] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.432] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.432] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\..") returned 144 [0089.432] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.432] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.432] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.432] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.432] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.432] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.432] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.432] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.432] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0089.432] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.432] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.432] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.432] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0089.433] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0089.433] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.433] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0089.433] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.433] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xec, lpOverlapped=0x0) returned 1 [0089.434] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.434] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xec, lpOverlapped=0x0) returned 1 [0089.434] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.434] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.434] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.434] CloseHandle (hObject=0x200) returned 1 [0089.435] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.protected") returned 165 [0089.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.protected")) returned 1 [0089.435] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.435] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.435] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.436] lstrlenA (lpString="EMPTY") returned 5 [0089.436] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.436] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.436] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.436] CloseHandle (hObject=0x1fc) returned 1 [0089.436] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.436] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0089.436] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0089.437] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0089.437] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0089.437] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0089.437] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de") returned 141 [0089.437] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0089.437] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0089.437] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*") returned 143 [0089.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.437] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.437] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.437] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.437] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.437] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.437] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\.") returned 143 [0089.437] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.437] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.438] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.438] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.438] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.438] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.438] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.438] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\..") returned 144 [0089.438] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.438] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.438] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.438] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.438] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.438] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.438] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.438] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.438] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0089.438] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.438] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.438] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.438] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.438] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0089.438] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.438] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0089.438] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.438] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0089.438] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.438] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xef, lpOverlapped=0x0) returned 1 [0089.439] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff11, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.439] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xef, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xef, lpOverlapped=0x0) returned 1 [0089.439] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.439] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.439] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.439] CloseHandle (hObject=0x200) returned 1 [0089.439] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.protected") returned 165 [0089.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.protected")) returned 1 [0089.440] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.440] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.440] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.440] lstrlenA (lpString="EMPTY") returned 5 [0089.440] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.441] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.441] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.441] CloseHandle (hObject=0x1fc) returned 1 [0089.441] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.441] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0089.441] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0089.441] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0089.441] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0089.441] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0089.441] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el") returned 141 [0089.442] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0089.442] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0089.442] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*") returned 143 [0089.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.442] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.442] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.442] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\.") returned 143 [0089.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.442] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.442] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\..") returned 144 [0089.442] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.443] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.443] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.443] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.443] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.443] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.443] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.443] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0089.443] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.443] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.443] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.443] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0089.444] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0089.444] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.444] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0089.444] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.444] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x14c, lpOverlapped=0x0) returned 1 [0089.444] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.444] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x14c, lpOverlapped=0x0) returned 1 [0089.444] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.444] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.445] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.445] CloseHandle (hObject=0x200) returned 1 [0089.445] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.protected") returned 165 [0089.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.protected")) returned 1 [0089.445] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.445] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.446] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.446] lstrlenA (lpString="EMPTY") returned 5 [0089.446] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.447] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.447] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.447] CloseHandle (hObject=0x1fc) returned 1 [0089.447] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.447] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0089.447] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0089.447] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0089.447] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0089.447] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0089.447] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en") returned 141 [0089.447] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0089.447] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0089.447] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*") returned 143 [0089.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.447] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.447] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.447] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.447] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.447] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.447] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\.") returned 143 [0089.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.447] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.447] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.448] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\..") returned 144 [0089.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.448] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.448] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.448] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.448] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.448] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.448] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.448] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0089.448] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.448] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.448] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.448] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0089.448] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0089.448] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0089.448] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.448] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0089.449] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.449] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd7, lpOverlapped=0x0) returned 1 [0089.449] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.449] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.450] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.450] CloseHandle (hObject=0x200) returned 1 [0089.450] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.protected") returned 165 [0089.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.protected")) returned 1 [0089.450] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.450] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.451] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.451] lstrlenA (lpString="EMPTY") returned 5 [0089.451] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.452] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.452] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.452] CloseHandle (hObject=0x1fc) returned 1 [0089.452] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.452] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0089.452] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0089.452] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0089.452] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0089.452] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0089.452] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es") returned 141 [0089.452] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0089.452] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0089.452] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*") returned 143 [0089.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.453] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.453] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.453] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.453] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.453] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.453] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\.") returned 143 [0089.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.453] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.453] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.453] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.453] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.453] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.453] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.453] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\..") returned 144 [0089.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.453] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.453] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.453] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.453] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.453] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.453] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.453] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0089.453] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.453] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.453] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.453] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0089.455] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0089.455] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0089.455] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.455] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10d, lpOverlapped=0x0) returned 1 [0089.456] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.456] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10d, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10d, lpOverlapped=0x0) returned 1 [0089.456] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.456] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.456] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.456] CloseHandle (hObject=0x200) returned 1 [0089.456] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.protected") returned 165 [0089.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.protected")) returned 1 [0089.457] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.457] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.457] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.458] lstrlenA (lpString="EMPTY") returned 5 [0089.458] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.459] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.459] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.459] CloseHandle (hObject=0x1fc) returned 1 [0089.459] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.459] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0089.459] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0089.459] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0089.459] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0089.459] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0089.459] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi") returned 141 [0089.459] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0089.459] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0089.460] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*") returned 143 [0089.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.461] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.461] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.461] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.461] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.461] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.461] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\.") returned 143 [0089.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.461] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.461] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.461] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.461] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.461] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.461] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.461] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\..") returned 144 [0089.461] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.461] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.461] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.461] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.461] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.461] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.461] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.461] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0089.461] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.461] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.461] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.461] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.463] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0089.463] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.463] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0089.463] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.463] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0089.463] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.463] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0089.464] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.464] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0089.464] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.464] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.464] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.464] CloseHandle (hObject=0x200) returned 1 [0089.464] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.protected") returned 165 [0089.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.protected")) returned 1 [0089.465] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.465] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.465] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.466] lstrlenA (lpString="EMPTY") returned 5 [0089.466] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.467] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.467] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.467] CloseHandle (hObject=0x1fc) returned 1 [0089.467] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.467] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0089.467] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0089.467] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0089.467] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0089.468] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0089.468] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil") returned 142 [0089.468] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0089.468] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0089.468] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*") returned 144 [0089.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.469] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.469] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.469] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.469] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\.") returned 144 [0089.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.469] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.469] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.469] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.469] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.469] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\..") returned 145 [0089.469] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.469] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.469] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.469] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.469] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.470] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.470] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0089.470] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.470] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.470] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.470] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0089.471] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0089.471] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0089.471] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.471] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0089.472] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.472] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0089.472] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.472] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.473] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.473] CloseHandle (hObject=0x200) returned 1 [0089.473] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.protected") returned 166 [0089.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.protected")) returned 1 [0089.473] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.473] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.473] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 172 [0089.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.474] lstrlenA (lpString="EMPTY") returned 5 [0089.474] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.475] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.475] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.475] CloseHandle (hObject=0x1fc) returned 1 [0089.475] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.475] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0089.475] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0089.475] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0089.475] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0089.475] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0089.475] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr") returned 141 [0089.475] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0089.475] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0089.475] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*") returned 143 [0089.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.475] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.476] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\.") returned 143 [0089.476] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.476] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.476] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.476] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.476] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.476] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.476] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.476] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\..") returned 144 [0089.476] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.476] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.476] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.476] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.476] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.476] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.476] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.476] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.476] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0089.476] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.476] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.476] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.476] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0089.477] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0089.477] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0089.477] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.477] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10c, lpOverlapped=0x0) returned 1 [0089.478] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.478] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10c, lpOverlapped=0x0) returned 1 [0089.478] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.478] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.478] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.478] CloseHandle (hObject=0x200) returned 1 [0089.478] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.protected") returned 165 [0089.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.protected")) returned 1 [0089.479] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.479] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.479] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.480] lstrlenA (lpString="EMPTY") returned 5 [0089.480] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.481] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.481] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.481] CloseHandle (hObject=0x1fc) returned 1 [0089.481] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.481] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0089.481] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0089.481] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0089.481] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0089.481] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0089.481] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi") returned 141 [0089.481] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0089.481] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0089.481] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*") returned 143 [0089.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.482] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\.") returned 143 [0089.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.482] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.482] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\..") returned 144 [0089.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.482] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.482] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.482] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.482] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.482] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.482] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.482] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0089.482] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.482] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.482] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.482] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0089.483] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0089.483] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0089.483] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.483] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x121, lpOverlapped=0x0) returned 1 [0089.484] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffedf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.484] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x121, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x121, lpOverlapped=0x0) returned 1 [0089.484] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.485] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.485] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.485] CloseHandle (hObject=0x200) returned 1 [0089.485] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.protected") returned 165 [0089.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.protected")) returned 1 [0089.486] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.486] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.486] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.486] lstrlenA (lpString="EMPTY") returned 5 [0089.486] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.487] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.487] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.487] CloseHandle (hObject=0x1fc) returned 1 [0089.487] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.487] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0089.487] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0089.487] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0089.487] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0089.487] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0089.487] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr") returned 141 [0089.487] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0089.487] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0089.487] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*") returned 143 [0089.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\.") returned 143 [0089.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.488] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\..") returned 144 [0089.488] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.488] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.488] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.488] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.488] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.488] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.488] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0089.488] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.488] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.488] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.488] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0089.489] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0089.489] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0089.489] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.489] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0089.489] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.489] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe6, lpOverlapped=0x0) returned 1 [0089.489] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.489] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.490] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.490] CloseHandle (hObject=0x200) returned 1 [0089.490] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.protected") returned 165 [0089.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.protected")) returned 1 [0089.493] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.493] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.493] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.493] lstrlenA (lpString="EMPTY") returned 5 [0089.493] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.494] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.494] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.494] CloseHandle (hObject=0x1fc) returned 1 [0089.494] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.494] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0089.494] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0089.494] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0089.494] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0089.494] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0089.494] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu") returned 141 [0089.494] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0089.494] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0089.494] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*") returned 143 [0089.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.495] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.495] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.495] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\.") returned 143 [0089.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.495] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.495] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.495] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.495] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.495] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.495] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.495] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\..") returned 144 [0089.495] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.495] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.495] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.495] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.495] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.495] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.495] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.495] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0089.495] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.495] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.495] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.495] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0089.496] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0089.496] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0089.496] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.496] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0089.496] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.496] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe2, lpOverlapped=0x0) returned 1 [0089.496] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.497] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.497] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.497] CloseHandle (hObject=0x200) returned 1 [0089.497] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.protected") returned 165 [0089.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.protected")) returned 1 [0089.497] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.497] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.497] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.498] lstrlenA (lpString="EMPTY") returned 5 [0089.498] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.499] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.499] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.499] CloseHandle (hObject=0x1fc) returned 1 [0089.499] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.499] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0089.499] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0089.499] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0089.499] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0089.499] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0089.499] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id") returned 141 [0089.499] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0089.499] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0089.499] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*") returned 143 [0089.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.499] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.499] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.499] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.499] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.500] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\.") returned 143 [0089.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.500] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.500] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\..") returned 144 [0089.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.500] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.500] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.500] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.500] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.500] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.500] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.500] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0089.500] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.500] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.500] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.500] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0089.500] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0089.500] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0089.501] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.501] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf2, lpOverlapped=0x0) returned 1 [0089.501] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.501] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf2, lpOverlapped=0x0) returned 1 [0089.501] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.501] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.502] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.502] CloseHandle (hObject=0x200) returned 1 [0089.502] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.protected") returned 165 [0089.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.protected")) returned 1 [0089.502] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.502] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.502] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.503] lstrlenA (lpString="EMPTY") returned 5 [0089.503] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.505] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.505] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.505] CloseHandle (hObject=0x1fc) returned 1 [0089.505] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.505] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0089.505] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0089.505] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0089.505] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0089.505] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0089.505] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it") returned 141 [0089.505] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0089.505] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0089.505] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*") returned 143 [0089.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.505] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.505] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\.") returned 143 [0089.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.505] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.506] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.506] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.506] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.506] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\..") returned 144 [0089.506] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.506] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.506] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.506] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.506] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.506] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.506] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.506] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0089.506] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.506] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.506] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.506] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0089.507] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0089.507] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0089.507] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.507] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0089.508] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.508] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0089.508] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.508] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.508] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.508] CloseHandle (hObject=0x200) returned 1 [0089.508] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.protected") returned 165 [0089.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.protected")) returned 1 [0089.509] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.509] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.509] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.509] lstrlenA (lpString="EMPTY") returned 5 [0089.509] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.510] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.510] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.510] CloseHandle (hObject=0x1fc) returned 1 [0089.510] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.510] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0089.510] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0089.510] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0089.511] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0089.511] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0089.511] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja") returned 141 [0089.511] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0089.511] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0089.511] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*") returned 143 [0089.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.511] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.511] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.511] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.511] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.511] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.511] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\.") returned 143 [0089.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.511] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.511] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.511] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.511] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.511] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.511] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.511] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\..") returned 144 [0089.511] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.511] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.511] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.511] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.511] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.511] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.511] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.511] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.511] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0089.511] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.511] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.511] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.511] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0089.512] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0089.512] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0089.512] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.512] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x10f, lpOverlapped=0x0) returned 1 [0089.513] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.513] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x10f, lpOverlapped=0x0) returned 1 [0089.513] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.513] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.513] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.513] CloseHandle (hObject=0x200) returned 1 [0089.513] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.protected") returned 165 [0089.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.protected")) returned 1 [0089.514] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.514] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.514] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.514] lstrlenA (lpString="EMPTY") returned 5 [0089.514] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.515] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.515] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.515] CloseHandle (hObject=0x1fc) returned 1 [0089.515] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.515] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0089.515] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0089.515] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0089.515] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0089.515] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0089.515] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko") returned 141 [0089.515] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0089.516] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0089.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*") returned 143 [0089.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.516] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.516] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.516] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.516] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.516] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\.") returned 143 [0089.516] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.516] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.516] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.516] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.516] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.516] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.516] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\..") returned 144 [0089.516] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.516] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.516] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.516] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.516] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.516] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.516] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0089.516] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.516] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.516] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.516] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0089.517] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0089.517] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0089.517] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.517] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0089.518] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.518] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x100, lpOverlapped=0x0) returned 1 [0089.518] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.518] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.518] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.518] CloseHandle (hObject=0x200) returned 1 [0089.518] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.protected") returned 165 [0089.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.protected")) returned 1 [0089.519] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.519] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.519] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.519] lstrlenA (lpString="EMPTY") returned 5 [0089.519] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.520] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.520] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.520] CloseHandle (hObject=0x1fc) returned 1 [0089.520] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.520] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0089.520] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0089.520] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0089.520] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0089.520] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0089.520] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt") returned 141 [0089.520] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0089.521] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0089.521] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*") returned 143 [0089.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.521] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\.") returned 143 [0089.521] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.521] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.521] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.521] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.521] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.521] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.521] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.521] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\..") returned 144 [0089.521] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.521] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.521] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.521] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.521] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.521] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.521] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.521] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.521] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0089.521] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.521] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.521] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.521] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0089.523] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0089.523] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0089.523] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.523] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xfd, lpOverlapped=0x0) returned 1 [0089.523] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.523] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xfd, lpOverlapped=0x0) returned 1 [0089.523] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.524] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.524] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.524] CloseHandle (hObject=0x200) returned 1 [0089.524] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.protected") returned 165 [0089.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.protected")) returned 1 [0089.524] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.525] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.525] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.525] lstrlenA (lpString="EMPTY") returned 5 [0089.525] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.526] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.526] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.526] CloseHandle (hObject=0x1fc) returned 1 [0089.526] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.526] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0089.526] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0089.526] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0089.526] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0089.526] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0089.526] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv") returned 141 [0089.526] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0089.526] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0089.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*") returned 143 [0089.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.526] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.526] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.526] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.526] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.526] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\.") returned 143 [0089.526] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.526] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.527] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.527] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.527] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.527] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.527] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.527] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\..") returned 144 [0089.527] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.527] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.527] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.527] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.527] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.527] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.527] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.527] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.527] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0089.527] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.527] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.527] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.527] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0089.527] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0089.527] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0089.527] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.527] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xee, lpOverlapped=0x0) returned 1 [0089.528] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.528] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xee, lpOverlapped=0x0) returned 1 [0089.528] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.528] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.528] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.529] CloseHandle (hObject=0x200) returned 1 [0089.529] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.protected") returned 165 [0089.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.protected")) returned 1 [0089.529] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.529] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.529] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.530] lstrlenA (lpString="EMPTY") returned 5 [0089.530] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.530] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.530] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.531] CloseHandle (hObject=0x1fc) returned 1 [0089.531] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.531] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0089.531] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0089.531] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0089.531] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0089.531] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0089.531] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl") returned 141 [0089.531] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0089.531] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0089.531] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*") returned 143 [0089.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.531] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.531] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.531] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.531] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.531] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.531] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\.") returned 143 [0089.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.532] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.532] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.532] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.532] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.532] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.532] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.532] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\..") returned 144 [0089.532] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.532] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.532] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.532] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.532] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.532] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.532] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.532] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0089.532] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.532] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.532] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.532] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0089.533] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0089.533] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0089.533] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.533] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe8, lpOverlapped=0x0) returned 1 [0089.534] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.534] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe8, lpOverlapped=0x0) returned 1 [0089.534] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.534] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.534] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.535] CloseHandle (hObject=0x200) returned 1 [0089.535] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.protected") returned 165 [0089.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.protected")) returned 1 [0089.535] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.535] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.536] lstrlenA (lpString="EMPTY") returned 5 [0089.536] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.536] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.536] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.543] CloseHandle (hObject=0x1fc) returned 1 [0089.543] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.543] lstrcmpiW (lpString1="no", lpString2="Windows") returned -1 [0089.543] lstrcmpiW (lpString1="no", lpString2="Program Files") returned -1 [0089.543] lstrcmpiW (lpString1="no", lpString2="Program Files (x86)") returned -1 [0089.543] lstrcmpiW (lpString1="no", lpString2="$Recycle.bin") returned 1 [0089.543] lstrcmpiW (lpString1="no", lpString2="System Volume Information") returned -1 [0089.543] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no") returned 141 [0089.543] lstrcmpW (lpString1="no", lpString2=".") returned 1 [0089.544] lstrcmpW (lpString1="no", lpString2="..") returned 1 [0089.544] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*") returned 143 [0089.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.544] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.544] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.544] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.544] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.544] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.544] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\.") returned 143 [0089.544] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.544] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.544] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.544] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.544] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.544] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.544] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.544] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\..") returned 144 [0089.544] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.544] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.544] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.544] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.544] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.544] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.544] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.544] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.544] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0089.544] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.544] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.544] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.544] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0089.545] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0089.545] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0089.545] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.545] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0089.547] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.547] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0089.547] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.547] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.547] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.547] CloseHandle (hObject=0x200) returned 1 [0089.547] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.protected") returned 165 [0089.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.protected")) returned 1 [0089.548] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.548] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.548] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.549] lstrlenA (lpString="EMPTY") returned 5 [0089.549] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.550] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.550] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.550] CloseHandle (hObject=0x1fc) returned 1 [0089.550] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.550] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0089.550] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0089.550] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0089.550] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0089.550] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0089.550] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl") returned 141 [0089.550] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0089.550] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0089.550] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*") returned 143 [0089.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.551] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.551] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.551] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.551] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.551] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.551] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\.") returned 143 [0089.551] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.551] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.551] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.551] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.551] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.551] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.551] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.551] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\..") returned 144 [0089.551] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.551] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.551] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.551] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.551] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.551] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.551] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.551] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.551] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0089.551] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.552] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.552] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.552] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0089.552] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0089.552] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0089.552] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.552] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0089.553] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.553] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x108, lpOverlapped=0x0) returned 1 [0089.553] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.554] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.554] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.554] CloseHandle (hObject=0x200) returned 1 [0089.554] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.protected") returned 165 [0089.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.protected")) returned 1 [0089.554] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.555] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.555] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.555] lstrlenA (lpString="EMPTY") returned 5 [0089.555] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.556] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.556] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.556] CloseHandle (hObject=0x1fc) returned 1 [0089.556] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.556] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0089.556] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0089.556] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0089.556] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0089.556] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0089.556] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR") returned 144 [0089.556] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0089.556] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0089.556] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*") returned 146 [0089.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.557] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.557] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.557] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.557] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.557] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.557] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\.") returned 146 [0089.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.557] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.557] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.557] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.557] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.559] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\..") returned 147 [0089.559] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.559] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.559] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.559] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.559] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.559] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.559] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.559] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.559] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0089.559] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.559] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.559] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.559] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.559] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0089.559] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.559] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0089.559] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.559] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0089.559] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.559] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0089.560] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.560] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0089.560] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.560] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.560] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.560] CloseHandle (hObject=0x200) returned 1 [0089.561] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json.protected") returned 168 [0089.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0089.561] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.561] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.561] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0089.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.561] lstrlenA (lpString="EMPTY") returned 5 [0089.562] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.562] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.562] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.563] CloseHandle (hObject=0x1fc) returned 1 [0089.564] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.564] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0089.564] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0089.564] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0089.564] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0089.564] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0089.564] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT") returned 144 [0089.564] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0089.564] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0089.564] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*") returned 146 [0089.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.564] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.564] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.564] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.564] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.564] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.564] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\.") returned 146 [0089.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.564] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.564] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.564] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.564] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\..") returned 147 [0089.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.564] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.564] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.564] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.564] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.564] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.564] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.565] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0089.565] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.565] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.565] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.565] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.565] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0089.565] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.565] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0089.565] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.565] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0089.565] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.565] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0089.566] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.566] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xdf, lpOverlapped=0x0) returned 1 [0089.566] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.566] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.566] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.566] CloseHandle (hObject=0x200) returned 1 [0089.566] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json.protected") returned 168 [0089.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0089.568] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.568] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.568] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0089.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.568] lstrlenA (lpString="EMPTY") returned 5 [0089.568] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.569] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.569] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.569] CloseHandle (hObject=0x1fc) returned 1 [0089.569] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.569] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0089.569] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0089.569] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0089.569] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0089.569] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0089.569] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro") returned 141 [0089.569] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0089.569] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0089.569] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*") returned 143 [0089.569] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.569] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.569] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.569] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.569] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.569] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.569] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\.") returned 143 [0089.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.570] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.570] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.570] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.570] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.570] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\..") returned 144 [0089.570] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.570] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.570] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.570] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.570] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.570] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.570] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.570] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.570] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0089.570] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.570] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.570] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.570] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.570] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0089.570] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.570] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0089.570] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.570] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0089.570] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.570] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x109, lpOverlapped=0x0) returned 1 [0089.571] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.571] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x109, lpOverlapped=0x0) returned 1 [0089.571] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.571] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.571] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.572] CloseHandle (hObject=0x200) returned 1 [0089.572] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.protected") returned 165 [0089.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.protected")) returned 1 [0089.572] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.572] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.572] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.582] lstrlenA (lpString="EMPTY") returned 5 [0089.582] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.584] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.585] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.585] CloseHandle (hObject=0x1fc) returned 1 [0089.585] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.585] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0089.585] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0089.585] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0089.585] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0089.585] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0089.585] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru") returned 141 [0089.585] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0089.585] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0089.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*") returned 143 [0089.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\.") returned 143 [0089.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.585] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\..") returned 144 [0089.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.586] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.586] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.586] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.586] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.586] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.586] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.586] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0089.586] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.586] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.586] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.586] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0089.586] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0089.586] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0089.586] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.586] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x11e, lpOverlapped=0x0) returned 1 [0089.587] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffee2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.587] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x11e, lpOverlapped=0x0) returned 1 [0089.587] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.587] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.587] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.587] CloseHandle (hObject=0x200) returned 1 [0089.587] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.protected") returned 165 [0089.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.protected")) returned 1 [0089.588] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.588] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.588] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.588] lstrlenA (lpString="EMPTY") returned 5 [0089.588] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.589] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.589] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.589] CloseHandle (hObject=0x1fc) returned 1 [0089.589] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.589] lstrcmpiW (lpString1="se", lpString2="Windows") returned -1 [0089.589] lstrcmpiW (lpString1="se", lpString2="Program Files") returned 1 [0089.589] lstrcmpiW (lpString1="se", lpString2="Program Files (x86)") returned 1 [0089.589] lstrcmpiW (lpString1="se", lpString2="$Recycle.bin") returned 1 [0089.589] lstrcmpiW (lpString1="se", lpString2="System Volume Information") returned -1 [0089.589] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se") returned 141 [0089.589] lstrcmpW (lpString1="se", lpString2=".") returned 1 [0089.589] lstrcmpW (lpString1="se", lpString2="..") returned 1 [0089.589] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*") returned 143 [0089.589] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.589] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.589] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.589] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.589] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\.") returned 143 [0089.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.590] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\..") returned 144 [0089.590] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.590] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.590] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.590] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.590] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.590] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.590] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.590] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0089.590] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.590] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.590] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.590] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0089.590] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0089.591] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.591] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0089.591] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.591] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0089.591] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.591] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xd2, lpOverlapped=0x0) returned 1 [0089.591] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.591] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.592] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.592] CloseHandle (hObject=0x200) returned 1 [0089.592] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.protected") returned 165 [0089.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.protected")) returned 1 [0089.592] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.592] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.593] lstrlenA (lpString="EMPTY") returned 5 [0089.593] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.594] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.594] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.594] CloseHandle (hObject=0x1fc) returned 1 [0089.594] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.594] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0089.594] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0089.594] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0089.594] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0089.594] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0089.594] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk") returned 141 [0089.594] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0089.594] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0089.594] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*") returned 143 [0089.594] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.594] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.594] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.594] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.594] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.594] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.594] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\.") returned 143 [0089.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.595] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.595] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.595] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.595] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.595] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.595] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.595] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\..") returned 144 [0089.595] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.595] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.595] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.595] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.595] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.595] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.595] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.595] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.595] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0089.595] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.595] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.595] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.595] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.596] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0089.596] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.596] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0089.596] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.596] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0089.596] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.596] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0089.596] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.596] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xde, lpOverlapped=0x0) returned 1 [0089.596] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.597] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.597] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.597] CloseHandle (hObject=0x200) returned 1 [0089.597] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.protected") returned 165 [0089.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.protected")) returned 1 [0089.598] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.598] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.598] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.598] lstrlenA (lpString="EMPTY") returned 5 [0089.598] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.599] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.599] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.599] CloseHandle (hObject=0x1fc) returned 1 [0089.599] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.599] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0089.599] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0089.599] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0089.599] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0089.599] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0089.599] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl") returned 141 [0089.599] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0089.599] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0089.599] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*") returned 143 [0089.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\.") returned 143 [0089.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.600] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\..") returned 144 [0089.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.600] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.600] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.600] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.600] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.600] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.600] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0089.600] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.600] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.600] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.600] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0089.601] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0089.601] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0089.601] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.601] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0089.603] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.603] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0089.603] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.603] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.603] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.603] CloseHandle (hObject=0x200) returned 1 [0089.603] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.protected") returned 165 [0089.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.protected")) returned 1 [0089.604] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.604] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.604] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.606] lstrlenA (lpString="EMPTY") returned 5 [0089.606] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.610] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.610] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.611] CloseHandle (hObject=0x1fc) returned 1 [0089.611] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.611] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0089.611] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0089.611] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0089.611] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0089.611] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0089.611] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr") returned 141 [0089.611] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0089.611] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0089.611] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*") returned 143 [0089.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.611] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\.") returned 143 [0089.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.611] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.611] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.612] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\..") returned 144 [0089.612] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.612] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.612] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.612] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.612] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.612] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.612] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.612] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0089.612] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.612] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.612] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.612] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0089.612] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0089.612] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0089.612] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.613] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x127, lpOverlapped=0x0) returned 1 [0089.613] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffed9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.613] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x127, lpOverlapped=0x0) returned 1 [0089.613] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.613] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.613] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.614] CloseHandle (hObject=0x200) returned 1 [0089.614] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.protected") returned 165 [0089.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.protected")) returned 1 [0089.614] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.614] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.614] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.615] lstrlenA (lpString="EMPTY") returned 5 [0089.615] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.616] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.616] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.616] CloseHandle (hObject=0x1fc) returned 1 [0089.616] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.616] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0089.616] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0089.616] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0089.616] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0089.616] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0089.616] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th") returned 141 [0089.616] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0089.616] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0089.616] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*") returned 143 [0089.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.617] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\.") returned 143 [0089.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.617] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.617] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.617] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.617] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.617] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.617] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\..") returned 144 [0089.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.617] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.617] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.617] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.617] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.617] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.617] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0089.617] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.617] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.617] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.617] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0089.617] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0089.617] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0089.617] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.618] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x144, lpOverlapped=0x0) returned 1 [0089.618] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffebc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.618] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x144, lpOverlapped=0x0) returned 1 [0089.618] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.618] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.618] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.618] CloseHandle (hObject=0x200) returned 1 [0089.619] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.protected") returned 165 [0089.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.protected")) returned 1 [0089.622] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.622] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.622] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.623] lstrlenA (lpString="EMPTY") returned 5 [0089.623] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.623] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.623] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.623] CloseHandle (hObject=0x1fc) returned 1 [0089.623] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.623] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0089.623] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0089.623] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0089.623] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0089.624] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0089.624] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr") returned 141 [0089.624] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0089.624] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0089.624] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*") returned 143 [0089.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.624] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.624] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.624] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.624] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\.") returned 143 [0089.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.624] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.624] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.624] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.624] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.624] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.624] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\..") returned 144 [0089.624] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.624] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.624] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.624] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.624] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.624] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.624] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0089.624] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.624] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.624] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.624] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0089.625] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0089.625] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.625] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0089.625] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.625] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0089.626] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.626] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xea, lpOverlapped=0x0) returned 1 [0089.626] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.626] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.626] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.626] CloseHandle (hObject=0x200) returned 1 [0089.626] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.protected") returned 165 [0089.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.protected")) returned 1 [0089.627] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.627] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.627] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.627] lstrlenA (lpString="EMPTY") returned 5 [0089.627] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.629] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.629] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.629] CloseHandle (hObject=0x1fc) returned 1 [0089.629] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.630] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0089.630] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0089.630] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0089.630] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0089.630] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0089.630] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk") returned 141 [0089.630] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0089.630] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0089.630] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*") returned 143 [0089.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.630] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.630] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.630] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.630] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.630] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.630] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\.") returned 143 [0089.630] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.630] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.630] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.630] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.630] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.630] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.630] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.630] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\..") returned 144 [0089.630] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.630] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.630] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.630] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.630] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.630] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.631] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.631] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.631] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0089.631] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.631] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.631] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.631] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0089.631] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0089.631] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0089.631] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.631] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x130, lpOverlapped=0x0) returned 1 [0089.632] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.632] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x130, lpOverlapped=0x0) returned 1 [0089.632] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.632] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.632] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.632] CloseHandle (hObject=0x200) returned 1 [0089.632] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.protected") returned 165 [0089.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.protected")) returned 1 [0089.633] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.633] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.633] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.633] lstrlenA (lpString="EMPTY") returned 5 [0089.633] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.634] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.634] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.634] CloseHandle (hObject=0x1fc) returned 1 [0089.634] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.634] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0089.634] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0089.634] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0089.634] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0089.634] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0089.636] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi") returned 141 [0089.636] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0089.636] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0089.638] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*") returned 143 [0089.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.638] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.638] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.638] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.638] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.638] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.638] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\.") returned 143 [0089.638] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.638] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.638] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.638] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.638] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.638] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.638] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.639] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\..") returned 144 [0089.639] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.639] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.639] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.639] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.639] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.639] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.639] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.639] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0089.639] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.639] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.639] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.639] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0089.640] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0089.640] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0089.640] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.640] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xe8, lpOverlapped=0x0) returned 1 [0089.641] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.641] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xe8, lpOverlapped=0x0) returned 1 [0089.641] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.641] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.641] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.641] CloseHandle (hObject=0x200) returned 1 [0089.641] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.protected") returned 165 [0089.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.protected")) returned 1 [0089.642] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.642] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.642] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 171 [0089.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.643] lstrlenA (lpString="EMPTY") returned 5 [0089.643] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.643] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.643] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.644] CloseHandle (hObject=0x1fc) returned 1 [0089.644] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.644] lstrcmpiW (lpString1="zh_CN", lpString2="Windows") returned 1 [0089.644] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files") returned 1 [0089.644] lstrcmpiW (lpString1="zh_CN", lpString2="Program Files (x86)") returned 1 [0089.644] lstrcmpiW (lpString1="zh_CN", lpString2="$Recycle.bin") returned 1 [0089.644] lstrcmpiW (lpString1="zh_CN", lpString2="System Volume Information") returned 1 [0089.644] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN") returned 144 [0089.644] lstrcmpW (lpString1="zh_CN", lpString2=".") returned 1 [0089.644] lstrcmpW (lpString1="zh_CN", lpString2="..") returned 1 [0089.644] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*") returned 146 [0089.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.644] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.644] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.644] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.644] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\.") returned 146 [0089.645] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.645] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.645] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\..") returned 147 [0089.645] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.645] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.645] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.645] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.645] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.645] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.645] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.645] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0089.645] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.645] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.645] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.645] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.646] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0089.646] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.646] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0089.646] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.646] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0089.646] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.646] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x102, lpOverlapped=0x0) returned 1 [0089.647] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.647] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x102, lpOverlapped=0x0) returned 1 [0089.647] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.647] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.647] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.648] CloseHandle (hObject=0x200) returned 1 [0089.648] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json.protected") returned 168 [0089.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json.protected")) returned 1 [0089.648] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.649] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.649] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0089.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.649] lstrlenA (lpString="EMPTY") returned 5 [0089.649] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.650] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.650] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.651] CloseHandle (hObject=0x1fc) returned 1 [0089.652] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.652] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0089.652] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0089.652] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0089.652] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0089.652] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0089.652] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW") returned 144 [0089.652] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0089.652] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0089.652] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*") returned 146 [0089.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0089.653] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.653] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.653] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.653] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.653] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\.") returned 146 [0089.653] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.653] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.653] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.653] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.653] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.653] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.653] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\..") returned 147 [0089.653] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.653] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.653] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0089.653] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0089.653] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0089.653] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0089.653] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0089.653] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0089.653] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0089.653] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0089.654] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.654] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0089.654] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0089.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0089.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0089.654] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0089.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0089.654] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0089.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0089.654] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0089.654] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0089.655] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.655] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0xf9, lpOverlapped=0x0) returned 1 [0089.655] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.655] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0089.656] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0089.656] CloseHandle (hObject=0x200) returned 1 [0089.656] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json.protected") returned 168 [0089.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0089.657] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0089.657] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0089.657] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 174 [0089.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.657] lstrlenA (lpString="EMPTY") returned 5 [0089.657] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0089.658] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.658] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.658] CloseHandle (hObject=0x1fc) returned 1 [0089.658] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0089.658] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0089.658] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0089.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.659] lstrlenA (lpString="EMPTY") returned 5 [0089.659] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0089.660] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.660] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0089.660] CloseHandle (hObject=0x1f8) returned 1 [0089.660] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.660] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0089.660] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0089.660] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0089.660] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0089.660] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0089.660] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata") returned 139 [0089.660] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0089.660] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0089.660] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*") returned 141 [0089.660] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0089.660] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.660] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.660] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.660] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.660] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.660] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\.") returned 141 [0089.660] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.660] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.660] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.660] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.660] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.660] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.661] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.661] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\..") returned 142 [0089.661] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.661] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.661] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0089.661] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0089.661] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0089.661] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0089.661] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0089.661] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0089.661] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0089.661] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0089.661] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0089.661] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0089.661] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0089.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0089.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0089.661] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0089.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0089.661] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0089.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0089.661] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0089.662] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2686, lpOverlapped=0x0) returned 1 [0089.785] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd97a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.785] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2686, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2686, lpOverlapped=0x0) returned 1 [0089.786] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.786] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0089.786] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0089.786] CloseHandle (hObject=0x1fc) returned 1 [0089.786] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.protected") returned 172 [0089.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.protected")) returned 1 [0089.787] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0089.787] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0089.787] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 169 [0089.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.788] lstrlenA (lpString="EMPTY") returned 5 [0089.788] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0089.788] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.788] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0089.789] CloseHandle (hObject=0x1f8) returned 1 [0089.789] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0089.789] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0089.812] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 159 [0089.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0089.822] lstrlenA (lpString="EMPTY") returned 5 [0089.822] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0089.825] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.825] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0089.826] CloseHandle (hObject=0x1f4) returned 1 [0089.826] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0089.826] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0089.826] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0089.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0089.829] lstrlenA (lpString="EMPTY") returned 5 [0089.829] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0089.830] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0089.830] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0089.830] CloseHandle (hObject=0x1f0) returned 1 [0089.830] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 1 [0089.830] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Windows") returned -1 [0089.830] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files") returned -1 [0089.830] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="Program Files (x86)") returned -1 [0089.830] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="$Recycle.bin") returned 1 [0089.830] lstrcmpiW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="System Volume Information") returned -1 [0089.830] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm") returned 123 [0089.830] lstrcmpW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2=".") returned 1 [0089.830] lstrcmpW (lpString1="pkedcjkdefgpdelpbcmbmeomcjbeemfm", lpString2="..") returned 1 [0089.830] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*") returned 125 [0089.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\*", lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0x557530 [0089.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.831] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.831] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.831] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\.") returned 125 [0089.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.831] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0089.831] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.831] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.831] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.831] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.831] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.831] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\..") returned 126 [0089.831] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.831] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 1 [0089.831] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Windows") returned -1 [0089.831] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Program Files") returned -1 [0089.831] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="Program Files (x86)") returned -1 [0089.831] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="$Recycle.bin") returned 1 [0089.831] lstrcmpiW (lpString1="5817.313.0.5_0", lpString2="System Volume Information") returned -1 [0089.831] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0") returned 138 [0089.831] lstrcmpW (lpString1="5817.313.0.5_0", lpString2=".") returned 1 [0089.831] lstrcmpW (lpString1="5817.313.0.5_0", lpString2="..") returned 1 [0089.831] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*") returned 140 [0089.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\*", lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0x557570 [0089.833] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.833] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0089.833] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0089.833] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.833] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.833] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\.") returned 140 [0089.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.833] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.834] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.834] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0089.834] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0089.834] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.834] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.834] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\..") returned 141 [0089.834] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.834] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.834] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.834] lstrcmpiW (lpString1="angular.js", lpString2="Windows") returned -1 [0089.834] lstrcmpiW (lpString1="angular.js", lpString2="Program Files") returned -1 [0089.834] lstrcmpiW (lpString1="angular.js", lpString2="Program Files (x86)") returned -1 [0089.834] lstrcmpiW (lpString1="angular.js", lpString2="$Recycle.bin") returned 1 [0089.834] lstrcmpiW (lpString1="angular.js", lpString2="System Volume Information") returned -1 [0089.834] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0089.834] StrStrIW (lpFirst="angular.js", lpSrch=".protected") returned 0x0 [0089.834] lstrcmpW (lpString1="angular.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.834] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.834] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.837] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0089.838] StrStrW (lpFirst="angular.js", lpSrch=".txt") returned 0x0 [0089.838] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0089.838] StrStrW (lpFirst="angular.js", lpSrch=".rar") returned 0x0 [0089.838] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0089.838] StrStrW (lpFirst="angular.js", lpSrch=".zip") returned 0x0 [0089.838] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.865] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.865] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.865] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.865] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.898] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.898] CloseHandle (hObject=0x1f8) returned 1 [0089.899] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.protected") returned 159 [0089.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.protected")) returned 1 [0089.900] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.900] lstrcmpiW (lpString1="background_script.js", lpString2="Windows") returned -1 [0089.900] lstrcmpiW (lpString1="background_script.js", lpString2="Program Files") returned -1 [0089.900] lstrcmpiW (lpString1="background_script.js", lpString2="Program Files (x86)") returned -1 [0089.900] lstrcmpiW (lpString1="background_script.js", lpString2="$Recycle.bin") returned 1 [0089.900] lstrcmpiW (lpString1="background_script.js", lpString2="System Volume Information") returned -1 [0089.900] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0089.900] StrStrIW (lpFirst="background_script.js", lpSrch=".protected") returned 0x0 [0089.900] lstrcmpW (lpString1="background_script.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.900] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.900] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0089.901] StrStrW (lpFirst="background_script.js", lpSrch=".txt") returned 0x0 [0089.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0089.901] StrStrW (lpFirst="background_script.js", lpSrch=".rar") returned 0x0 [0089.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0089.901] StrStrW (lpFirst="background_script.js", lpSrch=".zip") returned 0x0 [0089.901] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.927] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.928] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.929] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.929] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.929] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.929] CloseHandle (hObject=0x1f8) returned 1 [0089.930] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.protected") returned 169 [0089.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.protected")) returned 1 [0089.930] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.930] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Windows") returned -1 [0089.931] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Program Files") returned -1 [0089.931] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="Program Files (x86)") returned -1 [0089.931] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="$Recycle.bin") returned 1 [0089.931] lstrcmpiW (lpString1="cast_game_sender.js", lpString2="System Volume Information") returned -1 [0089.931] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0089.931] StrStrIW (lpFirst="cast_game_sender.js", lpSrch=".protected") returned 0x0 [0089.931] lstrcmpW (lpString1="cast_game_sender.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.931] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.931] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0089.931] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".txt") returned 0x0 [0089.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0089.931] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".rar") returned 0x0 [0089.931] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0089.931] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".zip") returned 0x0 [0089.932] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.933] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.933] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.934] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.934] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.940] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.940] CloseHandle (hObject=0x1f8) returned 1 [0089.941] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.protected") returned 168 [0089.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.protected")) returned 1 [0089.942] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.942] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Windows") returned -1 [0089.942] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Program Files") returned -1 [0089.942] lstrcmpiW (lpString1="cast_route_details.html", lpString2="Program Files (x86)") returned -1 [0089.942] lstrcmpiW (lpString1="cast_route_details.html", lpString2="$Recycle.bin") returned 1 [0089.942] lstrcmpiW (lpString1="cast_route_details.html", lpString2="System Volume Information") returned -1 [0089.942] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0089.942] StrStrIW (lpFirst="cast_route_details.html", lpSrch=".protected") returned 0x0 [0089.942] lstrcmpW (lpString1="cast_route_details.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.942] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.942] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0089.946] StrStrW (lpFirst="cast_route_details.html", lpSrch=".txt") returned 0x0 [0089.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0089.946] StrStrW (lpFirst="cast_route_details.html", lpSrch=".rar") returned 0x0 [0089.946] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0089.946] StrStrW (lpFirst="cast_route_details.html", lpSrch=".zip") returned 0x0 [0089.946] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.948] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.948] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.949] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.949] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.949] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.949] CloseHandle (hObject=0x1f8) returned 1 [0089.949] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.protected") returned 172 [0089.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.protected")) returned 1 [0089.950] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.950] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Windows") returned -1 [0089.950] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Program Files") returned -1 [0089.950] lstrcmpiW (lpString1="cast_route_details.js", lpString2="Program Files (x86)") returned -1 [0089.950] lstrcmpiW (lpString1="cast_route_details.js", lpString2="$Recycle.bin") returned 1 [0089.950] lstrcmpiW (lpString1="cast_route_details.js", lpString2="System Volume Information") returned -1 [0089.950] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0089.950] StrStrIW (lpFirst="cast_route_details.js", lpSrch=".protected") returned 0x0 [0089.951] lstrcmpW (lpString1="cast_route_details.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.951] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.951] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0089.951] StrStrW (lpFirst="cast_route_details.js", lpSrch=".txt") returned 0x0 [0089.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0089.951] StrStrW (lpFirst="cast_route_details.js", lpSrch=".rar") returned 0x0 [0089.951] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0089.951] StrStrW (lpFirst="cast_route_details.js", lpSrch=".zip") returned 0x0 [0089.951] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.964] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.964] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0089.965] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.965] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0089.990] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0089.990] CloseHandle (hObject=0x1f8) returned 1 [0089.991] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.protected") returned 170 [0089.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.protected")) returned 1 [0089.992] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0089.992] lstrcmpiW (lpString1="cast_sender.js", lpString2="Windows") returned -1 [0089.992] lstrcmpiW (lpString1="cast_sender.js", lpString2="Program Files") returned -1 [0089.992] lstrcmpiW (lpString1="cast_sender.js", lpString2="Program Files (x86)") returned -1 [0089.992] lstrcmpiW (lpString1="cast_sender.js", lpString2="$Recycle.bin") returned 1 [0089.992] lstrcmpiW (lpString1="cast_sender.js", lpString2="System Volume Information") returned -1 [0089.992] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0089.992] StrStrIW (lpFirst="cast_sender.js", lpSrch=".protected") returned 0x0 [0089.992] lstrcmpW (lpString1="cast_sender.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0089.993] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0089.993] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0089.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0089.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0089.994] StrStrW (lpFirst="cast_sender.js", lpSrch=".txt") returned 0x0 [0089.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0089.994] StrStrW (lpFirst="cast_sender.js", lpSrch=".rar") returned 0x0 [0089.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0089.994] StrStrW (lpFirst="cast_sender.js", lpSrch=".zip") returned 0x0 [0089.994] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.019] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.020] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.021] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.021] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.045] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.045] CloseHandle (hObject=0x1f8) returned 1 [0090.046] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.protected") returned 163 [0090.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.protected")) returned 1 [0090.047] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.047] lstrcmpiW (lpString1="cast_setup", lpString2="Windows") returned -1 [0090.047] lstrcmpiW (lpString1="cast_setup", lpString2="Program Files") returned -1 [0090.047] lstrcmpiW (lpString1="cast_setup", lpString2="Program Files (x86)") returned -1 [0090.047] lstrcmpiW (lpString1="cast_setup", lpString2="$Recycle.bin") returned 1 [0090.047] lstrcmpiW (lpString1="cast_setup", lpString2="System Volume Information") returned -1 [0090.047] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup") returned 149 [0090.047] lstrcmpW (lpString1="cast_setup", lpString2=".") returned 1 [0090.047] lstrcmpW (lpString1="cast_setup", lpString2="..") returned 1 [0090.048] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*") returned 151 [0090.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0090.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.097] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\.") returned 151 [0090.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.097] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.097] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\..") returned 152 [0090.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.098] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.098] lstrcmpiW (lpString1="cast_app.css", lpString2="Windows") returned -1 [0090.098] lstrcmpiW (lpString1="cast_app.css", lpString2="Program Files") returned -1 [0090.098] lstrcmpiW (lpString1="cast_app.css", lpString2="Program Files (x86)") returned -1 [0090.098] lstrcmpiW (lpString1="cast_app.css", lpString2="$Recycle.bin") returned 1 [0090.098] lstrcmpiW (lpString1="cast_app.css", lpString2="System Volume Information") returned -1 [0090.098] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0090.098] StrStrIW (lpFirst="cast_app.css", lpSrch=".protected") returned 0x0 [0090.098] lstrcmpW (lpString1="cast_app.css", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.098] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.098] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0090.099] StrStrW (lpFirst="cast_app.css", lpSrch=".txt") returned 0x0 [0090.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0090.099] StrStrW (lpFirst="cast_app.css", lpSrch=".rar") returned 0x0 [0090.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0090.099] StrStrW (lpFirst="cast_app.css", lpSrch=".zip") returned 0x0 [0090.099] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x1a1d, lpOverlapped=0x0) returned 1 [0090.109] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffe5e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.109] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x1a1d, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x1a1d, lpOverlapped=0x0) returned 1 [0090.110] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.110] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.110] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.110] CloseHandle (hObject=0x1fc) returned 1 [0090.110] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.protected") returned 172 [0090.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.protected")) returned 1 [0090.111] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.111] lstrcmpiW (lpString1="cast_app.js", lpString2="Windows") returned -1 [0090.111] lstrcmpiW (lpString1="cast_app.js", lpString2="Program Files") returned -1 [0090.111] lstrcmpiW (lpString1="cast_app.js", lpString2="Program Files (x86)") returned -1 [0090.111] lstrcmpiW (lpString1="cast_app.js", lpString2="$Recycle.bin") returned 1 [0090.111] lstrcmpiW (lpString1="cast_app.js", lpString2="System Volume Information") returned -1 [0090.111] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0090.111] StrStrIW (lpFirst="cast_app.js", lpSrch=".protected") returned 0x0 [0090.111] lstrcmpW (lpString1="cast_app.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.111] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.111] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0090.112] StrStrW (lpFirst="cast_app.js", lpSrch=".txt") returned 0x0 [0090.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0090.112] StrStrW (lpFirst="cast_app.js", lpSrch=".rar") returned 0x0 [0090.112] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0090.112] StrStrW (lpFirst="cast_app.js", lpSrch=".zip") returned 0x0 [0090.112] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0090.114] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.114] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0090.114] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.114] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.114] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.115] CloseHandle (hObject=0x1fc) returned 1 [0090.137] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.protected") returned 171 [0090.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.protected")) returned 1 [0090.141] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.141] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Windows") returned -1 [0090.141] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Program Files") returned -1 [0090.141] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="Program Files (x86)") returned -1 [0090.141] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="$Recycle.bin") returned 1 [0090.141] lstrcmpiW (lpString1="cast_app_redirect.js", lpString2="System Volume Information") returned -1 [0090.141] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0090.141] StrStrIW (lpFirst="cast_app_redirect.js", lpSrch=".protected") returned 0x0 [0090.141] lstrcmpW (lpString1="cast_app_redirect.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.141] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.141] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0090.142] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".txt") returned 0x0 [0090.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0090.142] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".rar") returned 0x0 [0090.143] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0090.143] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".zip") returned 0x0 [0090.143] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0xf2, lpOverlapped=0x0) returned 1 [0090.143] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.143] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0xf2, lpOverlapped=0x0) returned 1 [0090.143] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.143] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.144] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.144] CloseHandle (hObject=0x1fc) returned 1 [0090.144] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.protected") returned 180 [0090.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.protected")) returned 1 [0090.144] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.144] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Windows") returned -1 [0090.144] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Program Files") returned -1 [0090.144] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="Program Files (x86)") returned -1 [0090.144] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="$Recycle.bin") returned 1 [0090.144] lstrcmpiW (lpString1="chromecast_logo_grey.png", lpString2="System Volume Information") returned -1 [0090.145] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0090.145] StrStrIW (lpFirst="chromecast_logo_grey.png", lpSrch=".protected") returned 0x0 [0090.145] lstrcmpW (lpString1="chromecast_logo_grey.png", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.145] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.145] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0090.145] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".txt") returned 0x0 [0090.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0090.145] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".rar") returned 0x0 [0090.145] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0090.145] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".zip") returned 0x0 [0090.145] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x1bef, lpOverlapped=0x0) returned 1 [0090.161] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffe411, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.161] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x1bef, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x1bef, lpOverlapped=0x0) returned 1 [0090.161] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.161] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.161] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.161] CloseHandle (hObject=0x1fc) returned 1 [0090.162] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.protected") returned 184 [0090.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.protected")) returned 1 [0090.162] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.162] lstrcmpiW (lpString1="devices.html", lpString2="Windows") returned -1 [0090.162] lstrcmpiW (lpString1="devices.html", lpString2="Program Files") returned -1 [0090.162] lstrcmpiW (lpString1="devices.html", lpString2="Program Files (x86)") returned -1 [0090.162] lstrcmpiW (lpString1="devices.html", lpString2="$Recycle.bin") returned 1 [0090.162] lstrcmpiW (lpString1="devices.html", lpString2="System Volume Information") returned -1 [0090.162] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0090.162] StrStrIW (lpFirst="devices.html", lpSrch=".protected") returned 0x0 [0090.162] lstrcmpW (lpString1="devices.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.162] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.163] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0090.163] StrStrW (lpFirst="devices.html", lpSrch=".txt") returned 0x0 [0090.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0090.163] StrStrW (lpFirst="devices.html", lpSrch=".rar") returned 0x0 [0090.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0090.163] StrStrW (lpFirst="devices.html", lpSrch=".zip") returned 0x0 [0090.163] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x3b, lpOverlapped=0x0) returned 1 [0090.164] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.164] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x3b, lpOverlapped=0x0) returned 1 [0090.164] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.164] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.164] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.164] CloseHandle (hObject=0x1fc) returned 1 [0090.164] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.protected") returned 172 [0090.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.protected")) returned 1 [0090.165] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.165] lstrcmpiW (lpString1="index.html", lpString2="Windows") returned -1 [0090.165] lstrcmpiW (lpString1="index.html", lpString2="Program Files") returned -1 [0090.165] lstrcmpiW (lpString1="index.html", lpString2="Program Files (x86)") returned -1 [0090.165] lstrcmpiW (lpString1="index.html", lpString2="$Recycle.bin") returned 1 [0090.165] lstrcmpiW (lpString1="index.html", lpString2="System Volume Information") returned -1 [0090.165] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0090.165] StrStrIW (lpFirst="index.html", lpSrch=".protected") returned 0x0 [0090.165] lstrcmpW (lpString1="index.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.165] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.165] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0090.165] StrStrW (lpFirst="index.html", lpSrch=".txt") returned 0x0 [0090.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0090.165] StrStrW (lpFirst="index.html", lpSrch=".rar") returned 0x0 [0090.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0090.165] StrStrW (lpFirst="index.html", lpSrch=".zip") returned 0x0 [0090.165] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x828, lpOverlapped=0x0) returned 1 [0090.217] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffff7d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.217] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x828, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x828, lpOverlapped=0x0) returned 1 [0090.218] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.218] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.218] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.218] CloseHandle (hObject=0x1fc) returned 1 [0090.218] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.protected") returned 170 [0090.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.protected")) returned 1 [0090.219] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.219] lstrcmpiW (lpString1="offers.html", lpString2="Windows") returned -1 [0090.219] lstrcmpiW (lpString1="offers.html", lpString2="Program Files") returned -1 [0090.219] lstrcmpiW (lpString1="offers.html", lpString2="Program Files (x86)") returned -1 [0090.219] lstrcmpiW (lpString1="offers.html", lpString2="$Recycle.bin") returned 1 [0090.219] lstrcmpiW (lpString1="offers.html", lpString2="System Volume Information") returned -1 [0090.219] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0090.219] StrStrIW (lpFirst="offers.html", lpSrch=".protected") returned 0x0 [0090.219] lstrcmpW (lpString1="offers.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.219] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.219] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.220] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0090.220] StrStrW (lpFirst="offers.html", lpSrch=".txt") returned 0x0 [0090.220] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0090.221] StrStrW (lpFirst="offers.html", lpSrch=".rar") returned 0x0 [0090.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0090.221] StrStrW (lpFirst="offers.html", lpSrch=".zip") returned 0x0 [0090.221] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x3b, lpOverlapped=0x0) returned 1 [0090.221] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.221] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x3b, lpOverlapped=0x0) returned 1 [0090.222] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.222] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.222] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.222] CloseHandle (hObject=0x1fc) returned 1 [0090.222] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.protected") returned 171 [0090.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.protected")) returned 1 [0090.223] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.223] lstrcmpiW (lpString1="setup.html", lpString2="Windows") returned -1 [0090.223] lstrcmpiW (lpString1="setup.html", lpString2="Program Files") returned 1 [0090.223] lstrcmpiW (lpString1="setup.html", lpString2="Program Files (x86)") returned 1 [0090.223] lstrcmpiW (lpString1="setup.html", lpString2="$Recycle.bin") returned 1 [0090.223] lstrcmpiW (lpString1="setup.html", lpString2="System Volume Information") returned -1 [0090.223] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0090.223] StrStrIW (lpFirst="setup.html", lpSrch=".protected") returned 0x0 [0090.223] lstrcmpW (lpString1="setup.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.223] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.223] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0090.223] StrStrW (lpFirst="setup.html", lpSrch=".txt") returned 0x0 [0090.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0090.224] StrStrW (lpFirst="setup.html", lpSrch=".rar") returned 0x0 [0090.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0090.224] StrStrW (lpFirst="setup.html", lpSrch=".zip") returned 0x0 [0090.224] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x3b, lpOverlapped=0x0) returned 1 [0090.224] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.224] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x3b, lpOverlapped=0x0) returned 1 [0090.225] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.225] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.225] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.225] CloseHandle (hObject=0x1fc) returned 1 [0090.225] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.protected") returned 170 [0090.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.protected")) returned 1 [0090.226] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0090.226] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0090.226] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 179 [0090.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.226] lstrlenA (lpString="EMPTY") returned 5 [0090.226] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0090.227] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.227] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0090.227] CloseHandle (hObject=0x1f8) returned 1 [0090.228] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.228] lstrcmpiW (lpString1="cloud_route_details", lpString2="Windows") returned -1 [0090.228] lstrcmpiW (lpString1="cloud_route_details", lpString2="Program Files") returned -1 [0090.228] lstrcmpiW (lpString1="cloud_route_details", lpString2="Program Files (x86)") returned -1 [0090.228] lstrcmpiW (lpString1="cloud_route_details", lpString2="$Recycle.bin") returned 1 [0090.228] lstrcmpiW (lpString1="cloud_route_details", lpString2="System Volume Information") returned -1 [0090.228] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details") returned 158 [0090.228] lstrcmpW (lpString1="cloud_route_details", lpString2=".") returned 1 [0090.228] lstrcmpW (lpString1="cloud_route_details", lpString2="..") returned 1 [0090.228] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*") returned 160 [0090.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0090.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.228] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.228] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.228] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.228] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.228] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\.") returned 160 [0090.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.228] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.228] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.228] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\..") returned 161 [0090.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.229] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.229] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.229] lstrcmpiW (lpString1="view.html", lpString2="Windows") returned -1 [0090.229] lstrcmpiW (lpString1="view.html", lpString2="Program Files") returned 1 [0090.229] lstrcmpiW (lpString1="view.html", lpString2="Program Files (x86)") returned 1 [0090.229] lstrcmpiW (lpString1="view.html", lpString2="$Recycle.bin") returned 1 [0090.229] lstrcmpiW (lpString1="view.html", lpString2="System Volume Information") returned 1 [0090.229] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0090.229] StrStrIW (lpFirst="view.html", lpSrch=".protected") returned 0x0 [0090.229] lstrcmpW (lpString1="view.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.229] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.229] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0090.229] StrStrW (lpFirst="view.html", lpSrch=".txt") returned 0x0 [0090.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0090.229] StrStrW (lpFirst="view.html", lpSrch=".rar") returned 0x0 [0090.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0090.229] StrStrW (lpFirst="view.html", lpSrch=".zip") returned 0x0 [0090.230] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x174c, lpOverlapped=0x0) returned 1 [0090.240] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffe8b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.240] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x174c, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x174c, lpOverlapped=0x0) returned 1 [0090.240] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.240] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.241] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.241] CloseHandle (hObject=0x1fc) returned 1 [0090.241] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.protected") returned 178 [0090.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.protected")) returned 1 [0090.242] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.242] lstrcmpiW (lpString1="view.js", lpString2="Windows") returned -1 [0090.242] lstrcmpiW (lpString1="view.js", lpString2="Program Files") returned 1 [0090.242] lstrcmpiW (lpString1="view.js", lpString2="Program Files (x86)") returned 1 [0090.242] lstrcmpiW (lpString1="view.js", lpString2="$Recycle.bin") returned 1 [0090.242] lstrcmpiW (lpString1="view.js", lpString2="System Volume Information") returned 1 [0090.242] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0090.242] StrStrIW (lpFirst="view.js", lpSrch=".protected") returned 0x0 [0090.242] lstrcmpW (lpString1="view.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.242] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0090.242] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0090.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0090.243] StrStrW (lpFirst="view.js", lpSrch=".txt") returned 0x0 [0090.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0090.243] StrStrW (lpFirst="view.js", lpSrch=".rar") returned 0x0 [0090.243] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0090.243] StrStrW (lpFirst="view.js", lpSrch=".zip") returned 0x0 [0090.243] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x945, lpOverlapped=0x0) returned 1 [0090.255] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffff6bb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.255] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x945, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x945, lpOverlapped=0x0) returned 1 [0090.255] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.255] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0090.255] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0090.256] CloseHandle (hObject=0x1fc) returned 1 [0090.256] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.protected") returned 176 [0090.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.protected")) returned 1 [0090.257] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0090.257] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0090.257] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 188 [0090.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.281] lstrlenA (lpString="EMPTY") returned 5 [0090.281] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0090.281] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.281] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0090.282] CloseHandle (hObject=0x1f8) returned 1 [0090.282] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.282] lstrcmpiW (lpString1="common.js", lpString2="Windows") returned -1 [0090.282] lstrcmpiW (lpString1="common.js", lpString2="Program Files") returned -1 [0090.282] lstrcmpiW (lpString1="common.js", lpString2="Program Files (x86)") returned -1 [0090.282] lstrcmpiW (lpString1="common.js", lpString2="$Recycle.bin") returned 1 [0090.282] lstrcmpiW (lpString1="common.js", lpString2="System Volume Information") returned -1 [0090.282] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0090.282] StrStrIW (lpFirst="common.js", lpSrch=".protected") returned 0x0 [0090.282] lstrcmpW (lpString1="common.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.282] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.282] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.282] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0090.282] StrStrW (lpFirst="common.js", lpSrch=".txt") returned 0x0 [0090.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0090.283] StrStrW (lpFirst="common.js", lpSrch=".rar") returned 0x0 [0090.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0090.283] StrStrW (lpFirst="common.js", lpSrch=".zip") returned 0x0 [0090.283] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.327] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.327] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.328] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.328] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.328] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.328] CloseHandle (hObject=0x1f8) returned 1 [0090.329] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.protected") returned 158 [0090.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.protected")) returned 1 [0090.330] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.330] lstrcmpiW (lpString1="feedback.css", lpString2="Windows") returned -1 [0090.330] lstrcmpiW (lpString1="feedback.css", lpString2="Program Files") returned -1 [0090.330] lstrcmpiW (lpString1="feedback.css", lpString2="Program Files (x86)") returned -1 [0090.330] lstrcmpiW (lpString1="feedback.css", lpString2="$Recycle.bin") returned 1 [0090.330] lstrcmpiW (lpString1="feedback.css", lpString2="System Volume Information") returned -1 [0090.330] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0090.330] StrStrIW (lpFirst="feedback.css", lpSrch=".protected") returned 0x0 [0090.330] lstrcmpW (lpString1="feedback.css", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.330] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.330] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0090.330] StrStrW (lpFirst="feedback.css", lpSrch=".txt") returned 0x0 [0090.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0090.330] StrStrW (lpFirst="feedback.css", lpSrch=".rar") returned 0x0 [0090.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0090.330] StrStrW (lpFirst="feedback.css", lpSrch=".zip") returned 0x0 [0090.330] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0xc26, lpOverlapped=0x0) returned 1 [0090.332] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff3da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.332] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0xc26, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0xc26, lpOverlapped=0x0) returned 1 [0090.332] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.332] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.333] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.333] CloseHandle (hObject=0x1f8) returned 1 [0090.333] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.protected") returned 161 [0090.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.protected")) returned 1 [0090.334] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.334] lstrcmpiW (lpString1="feedback.html", lpString2="Windows") returned -1 [0090.334] lstrcmpiW (lpString1="feedback.html", lpString2="Program Files") returned -1 [0090.334] lstrcmpiW (lpString1="feedback.html", lpString2="Program Files (x86)") returned -1 [0090.334] lstrcmpiW (lpString1="feedback.html", lpString2="$Recycle.bin") returned 1 [0090.334] lstrcmpiW (lpString1="feedback.html", lpString2="System Volume Information") returned -1 [0090.334] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0090.334] StrStrIW (lpFirst="feedback.html", lpSrch=".protected") returned 0x0 [0090.334] lstrcmpW (lpString1="feedback.html", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.334] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.334] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0090.335] StrStrW (lpFirst="feedback.html", lpSrch=".txt") returned 0x0 [0090.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0090.335] StrStrW (lpFirst="feedback.html", lpSrch=".rar") returned 0x0 [0090.335] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0090.335] StrStrW (lpFirst="feedback.html", lpSrch=".zip") returned 0x0 [0090.335] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.354] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.355] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.356] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.356] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.356] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.356] CloseHandle (hObject=0x1f8) returned 1 [0090.356] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.protected") returned 162 [0090.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.protected")) returned 1 [0090.357] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.357] lstrcmpiW (lpString1="feedback_script.js", lpString2="Windows") returned -1 [0090.357] lstrcmpiW (lpString1="feedback_script.js", lpString2="Program Files") returned -1 [0090.357] lstrcmpiW (lpString1="feedback_script.js", lpString2="Program Files (x86)") returned -1 [0090.358] lstrcmpiW (lpString1="feedback_script.js", lpString2="$Recycle.bin") returned 1 [0090.358] lstrcmpiW (lpString1="feedback_script.js", lpString2="System Volume Information") returned -1 [0090.358] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0090.358] StrStrIW (lpFirst="feedback_script.js", lpSrch=".protected") returned 0x0 [0090.358] lstrcmpW (lpString1="feedback_script.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0090.358] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.358] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0090.359] StrStrW (lpFirst="feedback_script.js", lpSrch=".txt") returned 0x0 [0090.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0090.359] StrStrW (lpFirst="feedback_script.js", lpSrch=".rar") returned 0x0 [0090.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0090.359] StrStrW (lpFirst="feedback_script.js", lpSrch=".zip") returned 0x0 [0090.359] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.381] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.381] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.382] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.382] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.382] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.382] CloseHandle (hObject=0x1f8) returned 1 [0090.383] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.protected") returned 167 [0090.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.protected")) returned 1 [0090.384] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.384] lstrcmpiW (lpString1="manifest.json", lpString2="Windows") returned -1 [0090.384] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files") returned -1 [0090.384] lstrcmpiW (lpString1="manifest.json", lpString2="Program Files (x86)") returned -1 [0090.384] lstrcmpiW (lpString1="manifest.json", lpString2="$Recycle.bin") returned 1 [0090.384] lstrcmpiW (lpString1="manifest.json", lpString2="System Volume Information") returned -1 [0090.384] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0090.384] StrStrIW (lpFirst="manifest.json", lpSrch=".protected") returned 0x0 [0090.384] lstrcmpW (lpString1="manifest.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.384] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.384] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0090.385] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0090.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0090.385] StrStrW (lpFirst="manifest.json", lpSrch=".rar") returned 0x0 [0090.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0090.385] StrStrW (lpFirst="manifest.json", lpSrch=".zip") returned 0x0 [0090.385] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x8f8, lpOverlapped=0x0) returned 1 [0090.386] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.386] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x8f8, lpOverlapped=0x0) returned 1 [0090.387] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.387] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.387] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.387] CloseHandle (hObject=0x1f8) returned 1 [0090.387] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.protected") returned 162 [0090.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.protected")) returned 1 [0090.388] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.388] lstrcmpiW (lpString1="material_css_min.css", lpString2="Windows") returned -1 [0090.388] lstrcmpiW (lpString1="material_css_min.css", lpString2="Program Files") returned -1 [0090.388] lstrcmpiW (lpString1="material_css_min.css", lpString2="Program Files (x86)") returned -1 [0090.388] lstrcmpiW (lpString1="material_css_min.css", lpString2="$Recycle.bin") returned 1 [0090.388] lstrcmpiW (lpString1="material_css_min.css", lpString2="System Volume Information") returned -1 [0090.388] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0090.388] StrStrIW (lpFirst="material_css_min.css", lpSrch=".protected") returned 0x0 [0090.388] lstrcmpW (lpString1="material_css_min.css", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.388] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.388] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0090.389] StrStrW (lpFirst="material_css_min.css", lpSrch=".txt") returned 0x0 [0090.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0090.389] StrStrW (lpFirst="material_css_min.css", lpSrch=".rar") returned 0x0 [0090.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0090.389] StrStrW (lpFirst="material_css_min.css", lpSrch=".zip") returned 0x0 [0090.389] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.403] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.403] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.403] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.403] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.433] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.433] CloseHandle (hObject=0x1f8) returned 1 [0090.434] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.protected") returned 169 [0090.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.protected")) returned 1 [0090.435] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.435] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Windows") returned -1 [0090.435] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Program Files") returned -1 [0090.435] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="Program Files (x86)") returned -1 [0090.435] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="$Recycle.bin") returned 1 [0090.435] lstrcmpiW (lpString1="mirroring_cast_streaming.js", lpString2="System Volume Information") returned -1 [0090.435] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0090.435] StrStrIW (lpFirst="mirroring_cast_streaming.js", lpSrch=".protected") returned 0x0 [0090.435] lstrcmpW (lpString1="mirroring_cast_streaming.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.435] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.435] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0090.435] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".txt") returned 0x0 [0090.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0090.435] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".rar") returned 0x0 [0090.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0090.435] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".zip") returned 0x0 [0090.435] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.475] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.475] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.475] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.476] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.501] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.501] CloseHandle (hObject=0x1f8) returned 1 [0090.502] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.protected") returned 176 [0090.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.protected")) returned 1 [0090.503] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.503] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Windows") returned -1 [0090.503] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Program Files") returned -1 [0090.503] lstrcmpiW (lpString1="mirroring_common.js", lpString2="Program Files (x86)") returned -1 [0090.503] lstrcmpiW (lpString1="mirroring_common.js", lpString2="$Recycle.bin") returned 1 [0090.503] lstrcmpiW (lpString1="mirroring_common.js", lpString2="System Volume Information") returned -1 [0090.503] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0090.503] StrStrIW (lpFirst="mirroring_common.js", lpSrch=".protected") returned 0x0 [0090.503] lstrcmpW (lpString1="mirroring_common.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.503] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.503] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.503] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0090.504] StrStrW (lpFirst="mirroring_common.js", lpSrch=".txt") returned 0x0 [0090.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0090.504] StrStrW (lpFirst="mirroring_common.js", lpSrch=".rar") returned 0x0 [0090.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0090.504] StrStrW (lpFirst="mirroring_common.js", lpSrch=".zip") returned 0x0 [0090.504] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.508] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.508] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.509] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.509] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.513] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.513] CloseHandle (hObject=0x1f8) returned 1 [0090.514] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.protected") returned 168 [0090.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.protected")) returned 1 [0090.515] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.515] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Windows") returned -1 [0090.515] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Program Files") returned -1 [0090.515] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="Program Files (x86)") returned -1 [0090.515] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="$Recycle.bin") returned 1 [0090.515] lstrcmpiW (lpString1="mirroring_hangouts.js", lpString2="System Volume Information") returned -1 [0090.515] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0090.515] StrStrIW (lpFirst="mirroring_hangouts.js", lpSrch=".protected") returned 0x0 [0090.515] lstrcmpW (lpString1="mirroring_hangouts.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.515] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.515] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.516] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0090.516] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".txt") returned 0x0 [0090.516] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0090.516] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".rar") returned 0x0 [0090.516] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0090.516] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".zip") returned 0x0 [0090.516] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.518] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.518] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x2800, lpOverlapped=0x0) returned 1 [0090.520] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.520] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.532] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.532] CloseHandle (hObject=0x1f8) returned 1 [0090.533] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.protected") returned 170 [0090.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.protected")) returned 1 [0090.534] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.534] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Windows") returned -1 [0090.534] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Program Files") returned -1 [0090.534] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="Program Files (x86)") returned -1 [0090.534] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="$Recycle.bin") returned 1 [0090.534] lstrcmpiW (lpString1="mirroring_webrtc.js", lpString2="System Volume Information") returned -1 [0090.534] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0090.534] StrStrIW (lpFirst="mirroring_webrtc.js", lpSrch=".protected") returned 0x0 [0090.534] lstrcmpW (lpString1="mirroring_webrtc.js", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.534] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed6e8 | out: pbBuffer=0x2ed6e8) returned 1 [0090.534] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed6dc*=0x30) returned 1 [0090.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0090.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0090.535] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".txt") returned 0x0 [0090.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0090.535] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".rar") returned 0x0 [0090.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0090.535] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".zip") returned 0x0 [0090.536] ReadFile (in: hFile=0x1f8, lpBuffer=0x61f818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesRead=0x2ed6b8*=0x941, lpOverlapped=0x0) returned 1 [0090.559] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffff6bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.559] WriteFile (in: hFile=0x1f8, lpBuffer=0x61f818*, nNumberOfBytesToWrite=0x941, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x61f818*, lpNumberOfBytesWritten=0x2ed6b8*=0x941, lpOverlapped=0x0) returned 1 [0090.560] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.560] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ed6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x2ed6e4*, lpNumberOfBytesWritten=0x2ed6b8*=0x4, lpOverlapped=0x0) returned 1 [0090.560] WriteFile (in: hFile=0x1f8, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed6b8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed6b8*=0x30, lpOverlapped=0x0) returned 1 [0090.560] CloseHandle (hObject=0x1f8) returned 1 [0090.561] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.protected") returned 168 [0090.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.protected")) returned 1 [0090.562] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0090.562] lstrcmpiW (lpString1="_locales", lpString2="Windows") returned -1 [0090.562] lstrcmpiW (lpString1="_locales", lpString2="Program Files") returned -1 [0090.562] lstrcmpiW (lpString1="_locales", lpString2="Program Files (x86)") returned -1 [0090.562] lstrcmpiW (lpString1="_locales", lpString2="$Recycle.bin") returned 1 [0090.562] lstrcmpiW (lpString1="_locales", lpString2="System Volume Information") returned -1 [0090.562] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales") returned 147 [0090.562] lstrcmpW (lpString1="_locales", lpString2=".") returned 1 [0090.562] lstrcmpW (lpString1="_locales", lpString2="..") returned 1 [0090.562] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*") returned 149 [0090.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0090.563] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.563] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.563] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.563] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.563] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.563] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\.") returned 149 [0090.563] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.563] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.564] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.564] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.564] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\..") returned 150 [0090.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.564] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.564] lstrcmpiW (lpString1="am", lpString2="Windows") returned -1 [0090.564] lstrcmpiW (lpString1="am", lpString2="Program Files") returned -1 [0090.564] lstrcmpiW (lpString1="am", lpString2="Program Files (x86)") returned -1 [0090.564] lstrcmpiW (lpString1="am", lpString2="$Recycle.bin") returned 1 [0090.564] lstrcmpiW (lpString1="am", lpString2="System Volume Information") returned -1 [0090.564] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am") returned 150 [0090.564] lstrcmpW (lpString1="am", lpString2=".") returned 1 [0090.564] lstrcmpW (lpString1="am", lpString2="..") returned 1 [0090.564] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*") returned 152 [0090.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.564] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.564] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.565] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.565] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\.") returned 152 [0090.565] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.565] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.565] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.565] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.565] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.565] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.565] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.565] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\..") returned 153 [0090.565] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.565] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.565] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.565] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.565] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.565] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.565] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.565] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.565] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0090.565] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.565] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.565] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.565] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0090.566] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0090.566] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.566] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0090.566] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.566] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.568] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.568] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.568] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.568] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.568] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.568] CloseHandle (hObject=0x200) returned 1 [0090.569] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.protected") returned 174 [0090.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.protected")) returned 1 [0090.570] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.570] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.570] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.571] lstrlenA (lpString="EMPTY") returned 5 [0090.571] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.571] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.572] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.572] CloseHandle (hObject=0x1fc) returned 1 [0090.572] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.572] lstrcmpiW (lpString1="ar", lpString2="Windows") returned -1 [0090.572] lstrcmpiW (lpString1="ar", lpString2="Program Files") returned -1 [0090.572] lstrcmpiW (lpString1="ar", lpString2="Program Files (x86)") returned -1 [0090.572] lstrcmpiW (lpString1="ar", lpString2="$Recycle.bin") returned 1 [0090.572] lstrcmpiW (lpString1="ar", lpString2="System Volume Information") returned -1 [0090.572] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar") returned 150 [0090.572] lstrcmpW (lpString1="ar", lpString2=".") returned 1 [0090.572] lstrcmpW (lpString1="ar", lpString2="..") returned 1 [0090.572] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*") returned 152 [0090.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.572] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\.") returned 152 [0090.572] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.572] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.572] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.572] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.572] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\..") returned 153 [0090.572] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.573] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.573] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.573] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.573] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.573] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.573] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0090.573] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.573] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.573] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.573] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0090.573] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0090.573] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0090.573] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.573] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.575] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.575] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.575] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.575] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.575] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.575] CloseHandle (hObject=0x200) returned 1 [0090.576] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.protected") returned 174 [0090.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.protected")) returned 1 [0090.576] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.576] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.576] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.577] lstrlenA (lpString="EMPTY") returned 5 [0090.577] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.578] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.578] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.578] CloseHandle (hObject=0x1fc) returned 1 [0090.578] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.578] lstrcmpiW (lpString1="bg", lpString2="Windows") returned -1 [0090.578] lstrcmpiW (lpString1="bg", lpString2="Program Files") returned -1 [0090.578] lstrcmpiW (lpString1="bg", lpString2="Program Files (x86)") returned -1 [0090.578] lstrcmpiW (lpString1="bg", lpString2="$Recycle.bin") returned 1 [0090.578] lstrcmpiW (lpString1="bg", lpString2="System Volume Information") returned -1 [0090.578] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg") returned 150 [0090.578] lstrcmpW (lpString1="bg", lpString2=".") returned 1 [0090.578] lstrcmpW (lpString1="bg", lpString2="..") returned 1 [0090.578] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*") returned 152 [0090.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.578] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\.") returned 152 [0090.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.578] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.578] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.579] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\..") returned 153 [0090.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.579] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.579] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.579] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.579] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.579] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.579] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.579] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0090.579] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.579] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.579] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.579] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0090.580] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0090.580] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0090.580] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.580] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.581] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.582] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.582] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.582] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.582] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.582] CloseHandle (hObject=0x200) returned 1 [0090.582] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.protected") returned 174 [0090.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.protected")) returned 1 [0090.583] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.583] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.583] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.584] lstrlenA (lpString="EMPTY") returned 5 [0090.584] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.584] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.584] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.584] CloseHandle (hObject=0x1fc) returned 1 [0090.585] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.585] lstrcmpiW (lpString1="bn", lpString2="Windows") returned -1 [0090.585] lstrcmpiW (lpString1="bn", lpString2="Program Files") returned -1 [0090.585] lstrcmpiW (lpString1="bn", lpString2="Program Files (x86)") returned -1 [0090.585] lstrcmpiW (lpString1="bn", lpString2="$Recycle.bin") returned 1 [0090.585] lstrcmpiW (lpString1="bn", lpString2="System Volume Information") returned -1 [0090.585] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn") returned 150 [0090.585] lstrcmpW (lpString1="bn", lpString2=".") returned 1 [0090.585] lstrcmpW (lpString1="bn", lpString2="..") returned 1 [0090.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*") returned 152 [0090.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.585] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.585] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.585] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.585] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.585] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\.") returned 152 [0090.585] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.585] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.585] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.585] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.585] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.585] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.585] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\..") returned 153 [0090.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.585] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.585] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.585] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.585] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0090.586] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.586] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.586] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.586] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0090.586] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0090.586] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.586] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0090.586] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.586] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.588] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.588] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.588] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.588] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.588] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.588] CloseHandle (hObject=0x200) returned 1 [0090.588] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.protected") returned 174 [0090.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.protected")) returned 1 [0090.589] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.589] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.589] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.590] lstrlenA (lpString="EMPTY") returned 5 [0090.590] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.590] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.590] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.590] CloseHandle (hObject=0x1fc) returned 1 [0090.591] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.591] lstrcmpiW (lpString1="ca", lpString2="Windows") returned -1 [0090.591] lstrcmpiW (lpString1="ca", lpString2="Program Files") returned -1 [0090.591] lstrcmpiW (lpString1="ca", lpString2="Program Files (x86)") returned -1 [0090.591] lstrcmpiW (lpString1="ca", lpString2="$Recycle.bin") returned 1 [0090.591] lstrcmpiW (lpString1="ca", lpString2="System Volume Information") returned -1 [0090.591] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca") returned 150 [0090.591] lstrcmpW (lpString1="ca", lpString2=".") returned 1 [0090.591] lstrcmpW (lpString1="ca", lpString2="..") returned 1 [0090.591] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*") returned 152 [0090.591] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.591] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.591] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.591] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.591] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.591] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\.") returned 152 [0090.591] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.591] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.591] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.591] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.591] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.591] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.591] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.591] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\..") returned 153 [0090.591] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.591] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.591] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.591] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.591] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.591] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.591] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.591] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.591] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0090.591] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.591] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.592] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.592] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0090.592] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0090.592] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0090.592] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.592] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.606] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.606] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.607] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.607] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.607] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.607] CloseHandle (hObject=0x200) returned 1 [0090.607] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.protected") returned 174 [0090.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.protected")) returned 1 [0090.608] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.608] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.608] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.608] lstrlenA (lpString="EMPTY") returned 5 [0090.608] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.609] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.609] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.609] CloseHandle (hObject=0x1fc) returned 1 [0090.609] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.609] lstrcmpiW (lpString1="cs", lpString2="Windows") returned -1 [0090.609] lstrcmpiW (lpString1="cs", lpString2="Program Files") returned -1 [0090.610] lstrcmpiW (lpString1="cs", lpString2="Program Files (x86)") returned -1 [0090.610] lstrcmpiW (lpString1="cs", lpString2="$Recycle.bin") returned 1 [0090.610] lstrcmpiW (lpString1="cs", lpString2="System Volume Information") returned -1 [0090.610] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs") returned 150 [0090.610] lstrcmpW (lpString1="cs", lpString2=".") returned 1 [0090.610] lstrcmpW (lpString1="cs", lpString2="..") returned 1 [0090.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*") returned 152 [0090.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\.") returned 152 [0090.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.610] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\..") returned 153 [0090.610] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.610] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.610] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.610] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.610] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.610] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0090.610] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.610] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.610] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.610] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0090.611] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0090.611] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0090.611] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.611] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.639] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.639] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.639] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.639] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.639] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.639] CloseHandle (hObject=0x200) returned 1 [0090.639] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.protected") returned 174 [0090.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.protected")) returned 1 [0090.640] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.640] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.640] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.641] lstrlenA (lpString="EMPTY") returned 5 [0090.641] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.641] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.641] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.641] CloseHandle (hObject=0x1fc) returned 1 [0090.641] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.642] lstrcmpiW (lpString1="da", lpString2="Windows") returned -1 [0090.642] lstrcmpiW (lpString1="da", lpString2="Program Files") returned -1 [0090.642] lstrcmpiW (lpString1="da", lpString2="Program Files (x86)") returned -1 [0090.642] lstrcmpiW (lpString1="da", lpString2="$Recycle.bin") returned 1 [0090.642] lstrcmpiW (lpString1="da", lpString2="System Volume Information") returned -1 [0090.642] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da") returned 150 [0090.642] lstrcmpW (lpString1="da", lpString2=".") returned 1 [0090.642] lstrcmpW (lpString1="da", lpString2="..") returned 1 [0090.642] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*") returned 152 [0090.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.642] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.642] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.642] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.642] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.642] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.642] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\.") returned 152 [0090.642] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.642] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.642] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.642] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.642] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.642] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.642] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.642] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\..") returned 153 [0090.642] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.642] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.642] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.642] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.642] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.642] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.642] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.642] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.642] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0090.642] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.643] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.643] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.643] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.643] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0090.644] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.644] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0090.644] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.644] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0090.644] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.644] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.647] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.647] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.647] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.647] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.647] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.647] CloseHandle (hObject=0x200) returned 1 [0090.647] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.protected") returned 174 [0090.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.protected")) returned 1 [0090.648] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.648] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.648] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.649] lstrlenA (lpString="EMPTY") returned 5 [0090.649] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.649] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.649] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.650] CloseHandle (hObject=0x1fc) returned 1 [0090.650] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.650] lstrcmpiW (lpString1="de", lpString2="Windows") returned -1 [0090.650] lstrcmpiW (lpString1="de", lpString2="Program Files") returned -1 [0090.650] lstrcmpiW (lpString1="de", lpString2="Program Files (x86)") returned -1 [0090.650] lstrcmpiW (lpString1="de", lpString2="$Recycle.bin") returned 1 [0090.650] lstrcmpiW (lpString1="de", lpString2="System Volume Information") returned -1 [0090.650] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de") returned 150 [0090.650] lstrcmpW (lpString1="de", lpString2=".") returned 1 [0090.650] lstrcmpW (lpString1="de", lpString2="..") returned 1 [0090.650] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*") returned 152 [0090.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.650] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.650] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.650] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.650] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.650] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.650] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\.") returned 152 [0090.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.650] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.650] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.650] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.650] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.650] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.650] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.650] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\..") returned 153 [0090.650] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.650] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.650] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.651] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.651] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.651] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.651] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.651] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.651] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0090.651] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.651] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.651] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.651] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0090.651] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0090.651] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0090.651] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.651] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.666] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.666] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.667] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.667] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.683] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.683] CloseHandle (hObject=0x200) returned 1 [0090.683] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.protected") returned 174 [0090.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.protected")) returned 1 [0090.684] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.684] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.684] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.685] lstrlenA (lpString="EMPTY") returned 5 [0090.685] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.685] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.685] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.686] CloseHandle (hObject=0x1fc) returned 1 [0090.686] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.686] lstrcmpiW (lpString1="el", lpString2="Windows") returned -1 [0090.686] lstrcmpiW (lpString1="el", lpString2="Program Files") returned -1 [0090.686] lstrcmpiW (lpString1="el", lpString2="Program Files (x86)") returned -1 [0090.686] lstrcmpiW (lpString1="el", lpString2="$Recycle.bin") returned 1 [0090.686] lstrcmpiW (lpString1="el", lpString2="System Volume Information") returned -1 [0090.686] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el") returned 150 [0090.686] lstrcmpW (lpString1="el", lpString2=".") returned 1 [0090.686] lstrcmpW (lpString1="el", lpString2="..") returned 1 [0090.686] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*") returned 152 [0090.686] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.686] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.686] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.686] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.686] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.686] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.686] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\.") returned 152 [0090.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.686] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.686] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.686] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.686] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.687] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.687] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.687] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\..") returned 153 [0090.687] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.687] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.687] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.687] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.687] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.687] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.687] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.687] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0090.687] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.687] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.687] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.687] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.688] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0090.688] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.688] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0090.688] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.688] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0090.688] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.688] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.724] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.724] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.725] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.725] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.725] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.725] CloseHandle (hObject=0x200) returned 1 [0090.725] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.protected") returned 174 [0090.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.protected")) returned 1 [0090.726] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.726] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.726] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.727] lstrlenA (lpString="EMPTY") returned 5 [0090.727] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.727] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.727] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.728] CloseHandle (hObject=0x1fc) returned 1 [0090.728] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.728] lstrcmpiW (lpString1="en", lpString2="Windows") returned -1 [0090.728] lstrcmpiW (lpString1="en", lpString2="Program Files") returned -1 [0090.728] lstrcmpiW (lpString1="en", lpString2="Program Files (x86)") returned -1 [0090.728] lstrcmpiW (lpString1="en", lpString2="$Recycle.bin") returned 1 [0090.728] lstrcmpiW (lpString1="en", lpString2="System Volume Information") returned -1 [0090.728] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en") returned 150 [0090.728] lstrcmpW (lpString1="en", lpString2=".") returned 1 [0090.728] lstrcmpW (lpString1="en", lpString2="..") returned 1 [0090.728] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*") returned 152 [0090.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.728] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.728] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.728] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.728] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.728] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\.") returned 152 [0090.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.728] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.728] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.728] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.728] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.728] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.728] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.728] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\..") returned 153 [0090.728] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.729] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.729] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.729] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.729] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.729] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.729] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.729] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0090.729] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.729] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.729] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.729] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0090.729] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0090.729] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.729] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0090.729] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.729] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.804] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.804] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.805] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.805] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.805] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.805] CloseHandle (hObject=0x200) returned 1 [0090.805] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.protected") returned 174 [0090.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.protected")) returned 1 [0090.806] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.806] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.806] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.806] lstrlenA (lpString="EMPTY") returned 5 [0090.806] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.807] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.807] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.807] CloseHandle (hObject=0x1fc) returned 1 [0090.807] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.807] lstrcmpiW (lpString1="es", lpString2="Windows") returned -1 [0090.807] lstrcmpiW (lpString1="es", lpString2="Program Files") returned -1 [0090.807] lstrcmpiW (lpString1="es", lpString2="Program Files (x86)") returned -1 [0090.807] lstrcmpiW (lpString1="es", lpString2="$Recycle.bin") returned 1 [0090.807] lstrcmpiW (lpString1="es", lpString2="System Volume Information") returned -1 [0090.807] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es") returned 150 [0090.807] lstrcmpW (lpString1="es", lpString2=".") returned 1 [0090.807] lstrcmpW (lpString1="es", lpString2="..") returned 1 [0090.807] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*") returned 152 [0090.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.808] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.808] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.808] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.808] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.808] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.808] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\.") returned 152 [0090.808] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.808] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.808] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.808] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.808] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.808] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.808] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.808] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\..") returned 153 [0090.808] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.808] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.808] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.808] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.808] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.808] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.808] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.808] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0090.808] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.808] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.808] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.808] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0090.809] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0090.809] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0090.809] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.809] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.838] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.838] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.839] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.839] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.839] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.839] CloseHandle (hObject=0x200) returned 1 [0090.839] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.protected") returned 174 [0090.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.protected")) returned 1 [0090.840] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.840] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.840] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.841] lstrlenA (lpString="EMPTY") returned 5 [0090.841] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.842] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.842] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.842] CloseHandle (hObject=0x1fc) returned 1 [0090.842] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.842] lstrcmpiW (lpString1="et", lpString2="Windows") returned -1 [0090.842] lstrcmpiW (lpString1="et", lpString2="Program Files") returned -1 [0090.842] lstrcmpiW (lpString1="et", lpString2="Program Files (x86)") returned -1 [0090.842] lstrcmpiW (lpString1="et", lpString2="$Recycle.bin") returned 1 [0090.842] lstrcmpiW (lpString1="et", lpString2="System Volume Information") returned -1 [0090.842] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et") returned 150 [0090.842] lstrcmpW (lpString1="et", lpString2=".") returned 1 [0090.842] lstrcmpW (lpString1="et", lpString2="..") returned 1 [0090.842] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*") returned 152 [0090.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.842] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.842] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.842] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.843] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.843] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.843] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\.") returned 152 [0090.843] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.843] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.843] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.843] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.843] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.843] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.843] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.843] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\..") returned 153 [0090.843] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.843] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.843] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.843] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.843] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.843] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.843] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.843] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.843] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0090.843] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.843] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.843] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.843] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0090.844] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0090.844] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0090.844] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.844] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.848] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.848] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.849] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.849] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.849] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.849] CloseHandle (hObject=0x200) returned 1 [0090.849] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.protected") returned 174 [0090.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.protected")) returned 1 [0090.850] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.850] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.850] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.851] lstrlenA (lpString="EMPTY") returned 5 [0090.851] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.851] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.851] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.852] CloseHandle (hObject=0x1fc) returned 1 [0090.852] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.852] lstrcmpiW (lpString1="fa", lpString2="Windows") returned -1 [0090.852] lstrcmpiW (lpString1="fa", lpString2="Program Files") returned -1 [0090.852] lstrcmpiW (lpString1="fa", lpString2="Program Files (x86)") returned -1 [0090.852] lstrcmpiW (lpString1="fa", lpString2="$Recycle.bin") returned 1 [0090.852] lstrcmpiW (lpString1="fa", lpString2="System Volume Information") returned -1 [0090.852] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa") returned 150 [0090.852] lstrcmpW (lpString1="fa", lpString2=".") returned 1 [0090.852] lstrcmpW (lpString1="fa", lpString2="..") returned 1 [0090.852] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*") returned 152 [0090.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.852] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.852] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.852] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\.") returned 152 [0090.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.852] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.853] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\..") returned 153 [0090.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.853] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.853] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.853] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.853] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.853] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.853] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.853] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0090.853] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.853] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.853] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.853] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.854] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0090.854] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.854] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0090.854] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.854] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0090.854] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.854] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.857] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.858] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.858] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.858] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.859] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.859] CloseHandle (hObject=0x200) returned 1 [0090.859] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.protected") returned 174 [0090.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.protected")) returned 1 [0090.860] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.860] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.860] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.861] lstrlenA (lpString="EMPTY") returned 5 [0090.861] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.862] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.862] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.862] CloseHandle (hObject=0x1fc) returned 1 [0090.862] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.862] lstrcmpiW (lpString1="fi", lpString2="Windows") returned -1 [0090.862] lstrcmpiW (lpString1="fi", lpString2="Program Files") returned -1 [0090.862] lstrcmpiW (lpString1="fi", lpString2="Program Files (x86)") returned -1 [0090.862] lstrcmpiW (lpString1="fi", lpString2="$Recycle.bin") returned 1 [0090.862] lstrcmpiW (lpString1="fi", lpString2="System Volume Information") returned -1 [0090.862] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi") returned 150 [0090.862] lstrcmpW (lpString1="fi", lpString2=".") returned 1 [0090.862] lstrcmpW (lpString1="fi", lpString2="..") returned 1 [0090.862] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*") returned 152 [0090.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.862] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.863] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.863] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.863] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.863] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\.") returned 152 [0090.863] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.863] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.863] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.863] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.863] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.863] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.863] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.863] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\..") returned 153 [0090.863] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.863] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.863] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.863] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.863] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.863] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.863] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.863] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.863] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0090.863] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.863] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.863] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.863] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0090.864] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0090.864] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0090.864] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.864] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.880] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.880] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.880] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.880] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.880] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.880] CloseHandle (hObject=0x200) returned 1 [0090.880] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.protected") returned 174 [0090.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.protected")) returned 1 [0090.881] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.881] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.881] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.882] lstrlenA (lpString="EMPTY") returned 5 [0090.882] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.883] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.883] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.883] CloseHandle (hObject=0x1fc) returned 1 [0090.883] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.883] lstrcmpiW (lpString1="fil", lpString2="Windows") returned -1 [0090.883] lstrcmpiW (lpString1="fil", lpString2="Program Files") returned -1 [0090.883] lstrcmpiW (lpString1="fil", lpString2="Program Files (x86)") returned -1 [0090.883] lstrcmpiW (lpString1="fil", lpString2="$Recycle.bin") returned 1 [0090.883] lstrcmpiW (lpString1="fil", lpString2="System Volume Information") returned -1 [0090.883] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil") returned 151 [0090.883] lstrcmpW (lpString1="fil", lpString2=".") returned 1 [0090.883] lstrcmpW (lpString1="fil", lpString2="..") returned 1 [0090.883] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*") returned 153 [0090.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.884] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.884] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.884] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.884] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.884] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.884] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\.") returned 153 [0090.884] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.884] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.884] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.884] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.884] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.884] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.884] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.884] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\..") returned 154 [0090.884] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.884] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.884] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.884] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.884] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.884] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.884] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.884] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0090.884] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.884] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.884] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.884] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0090.885] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0090.885] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0090.886] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.886] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.887] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.887] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.888] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.888] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.888] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.888] CloseHandle (hObject=0x200) returned 1 [0090.888] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.protected") returned 175 [0090.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.protected")) returned 1 [0090.889] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.889] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.889] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 181 [0090.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.889] lstrlenA (lpString="EMPTY") returned 5 [0090.889] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.890] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.890] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.890] CloseHandle (hObject=0x1fc) returned 1 [0090.891] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.891] lstrcmpiW (lpString1="fr", lpString2="Windows") returned -1 [0090.891] lstrcmpiW (lpString1="fr", lpString2="Program Files") returned -1 [0090.891] lstrcmpiW (lpString1="fr", lpString2="Program Files (x86)") returned -1 [0090.891] lstrcmpiW (lpString1="fr", lpString2="$Recycle.bin") returned 1 [0090.891] lstrcmpiW (lpString1="fr", lpString2="System Volume Information") returned -1 [0090.891] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr") returned 150 [0090.891] lstrcmpW (lpString1="fr", lpString2=".") returned 1 [0090.891] lstrcmpW (lpString1="fr", lpString2="..") returned 1 [0090.891] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*") returned 152 [0090.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.891] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.891] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.891] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.891] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\.") returned 152 [0090.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.891] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.891] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.891] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.891] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.891] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.891] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.891] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\..") returned 153 [0090.891] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.892] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.892] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.892] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.892] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.892] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.892] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.892] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.892] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0090.892] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.892] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.892] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.892] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0090.892] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0090.893] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0090.893] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.893] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.895] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.895] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.895] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.895] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.895] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.895] CloseHandle (hObject=0x200) returned 1 [0090.896] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.protected") returned 174 [0090.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.protected")) returned 1 [0090.896] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.896] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.896] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.897] lstrlenA (lpString="EMPTY") returned 5 [0090.897] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.898] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.898] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.898] CloseHandle (hObject=0x1fc) returned 1 [0090.898] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.898] lstrcmpiW (lpString1="gu", lpString2="Windows") returned -1 [0090.898] lstrcmpiW (lpString1="gu", lpString2="Program Files") returned -1 [0090.898] lstrcmpiW (lpString1="gu", lpString2="Program Files (x86)") returned -1 [0090.898] lstrcmpiW (lpString1="gu", lpString2="$Recycle.bin") returned 1 [0090.898] lstrcmpiW (lpString1="gu", lpString2="System Volume Information") returned -1 [0090.898] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu") returned 150 [0090.898] lstrcmpW (lpString1="gu", lpString2=".") returned 1 [0090.898] lstrcmpW (lpString1="gu", lpString2="..") returned 1 [0090.898] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*") returned 152 [0090.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.899] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.899] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.899] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.899] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.899] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.899] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\.") returned 152 [0090.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.899] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.899] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.899] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.899] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.899] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.899] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\..") returned 153 [0090.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.899] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.899] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.899] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.899] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.899] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.899] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.899] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0090.899] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.899] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.900] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.900] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0090.901] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0090.901] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0090.901] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.901] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.928] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.929] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.929] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.929] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.947] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.947] CloseHandle (hObject=0x200) returned 1 [0090.947] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.protected") returned 174 [0090.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.protected")) returned 1 [0090.948] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.948] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.948] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.949] lstrlenA (lpString="EMPTY") returned 5 [0090.949] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.950] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.950] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.950] CloseHandle (hObject=0x1fc) returned 1 [0090.950] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.950] lstrcmpiW (lpString1="hi", lpString2="Windows") returned -1 [0090.950] lstrcmpiW (lpString1="hi", lpString2="Program Files") returned -1 [0090.950] lstrcmpiW (lpString1="hi", lpString2="Program Files (x86)") returned -1 [0090.950] lstrcmpiW (lpString1="hi", lpString2="$Recycle.bin") returned 1 [0090.950] lstrcmpiW (lpString1="hi", lpString2="System Volume Information") returned -1 [0090.950] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi") returned 150 [0090.950] lstrcmpW (lpString1="hi", lpString2=".") returned 1 [0090.950] lstrcmpW (lpString1="hi", lpString2="..") returned 1 [0090.950] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*") returned 152 [0090.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.951] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.951] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.951] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.951] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.951] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.951] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\.") returned 152 [0090.951] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.951] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.951] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.951] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.951] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.951] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.951] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.951] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\..") returned 153 [0090.951] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.951] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.951] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.951] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.951] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.951] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.951] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.951] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0090.951] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.951] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.951] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.951] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0090.952] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0090.952] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.952] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0090.952] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.952] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.954] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.954] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.954] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.954] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.954] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.954] CloseHandle (hObject=0x200) returned 1 [0090.955] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.protected") returned 174 [0090.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.protected")) returned 1 [0090.955] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.955] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.955] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.956] lstrlenA (lpString="EMPTY") returned 5 [0090.956] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.957] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.957] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.957] CloseHandle (hObject=0x1fc) returned 1 [0090.957] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.957] lstrcmpiW (lpString1="hr", lpString2="Windows") returned -1 [0090.957] lstrcmpiW (lpString1="hr", lpString2="Program Files") returned -1 [0090.958] lstrcmpiW (lpString1="hr", lpString2="Program Files (x86)") returned -1 [0090.958] lstrcmpiW (lpString1="hr", lpString2="$Recycle.bin") returned 1 [0090.958] lstrcmpiW (lpString1="hr", lpString2="System Volume Information") returned -1 [0090.958] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr") returned 150 [0090.958] lstrcmpW (lpString1="hr", lpString2=".") returned 1 [0090.958] lstrcmpW (lpString1="hr", lpString2="..") returned 1 [0090.958] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*") returned 152 [0090.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.958] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.958] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.958] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\.") returned 152 [0090.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.958] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.958] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.958] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.958] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\..") returned 153 [0090.958] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.958] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.959] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.959] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.959] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.959] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.959] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.959] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0090.959] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.959] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.959] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.959] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0090.960] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0090.960] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.960] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0090.960] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.960] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.966] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.966] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0090.966] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.966] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0090.966] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0090.966] CloseHandle (hObject=0x200) returned 1 [0090.966] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.protected") returned 174 [0090.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.protected")) returned 1 [0090.967] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0090.967] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0090.968] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0090.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0090.968] lstrlenA (lpString="EMPTY") returned 5 [0090.968] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0090.969] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0090.969] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.969] CloseHandle (hObject=0x1fc) returned 1 [0090.969] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0090.969] lstrcmpiW (lpString1="hu", lpString2="Windows") returned -1 [0090.969] lstrcmpiW (lpString1="hu", lpString2="Program Files") returned -1 [0090.969] lstrcmpiW (lpString1="hu", lpString2="Program Files (x86)") returned -1 [0090.969] lstrcmpiW (lpString1="hu", lpString2="$Recycle.bin") returned 1 [0090.969] lstrcmpiW (lpString1="hu", lpString2="System Volume Information") returned -1 [0090.970] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu") returned 150 [0090.970] lstrcmpW (lpString1="hu", lpString2=".") returned 1 [0090.970] lstrcmpW (lpString1="hu", lpString2="..") returned 1 [0090.970] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*") returned 152 [0090.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0090.970] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.970] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0090.970] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0090.970] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.970] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.970] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\.") returned 152 [0090.970] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.970] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.970] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.970] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0090.970] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0090.970] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.970] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.970] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\..") returned 153 [0090.970] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.970] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0090.970] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0090.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0090.970] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0090.970] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0090.971] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0090.971] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0090.971] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0090.971] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0090.971] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0090.971] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0090.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0090.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0090.971] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0090.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0090.971] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0090.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0090.971] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0090.971] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.006] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.006] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.007] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.007] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.064] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.064] CloseHandle (hObject=0x200) returned 1 [0091.065] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.protected") returned 174 [0091.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.protected")) returned 1 [0091.066] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.066] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.066] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.066] lstrlenA (lpString="EMPTY") returned 5 [0091.066] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.067] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.067] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.068] CloseHandle (hObject=0x1fc) returned 1 [0091.068] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.068] lstrcmpiW (lpString1="id", lpString2="Windows") returned -1 [0091.068] lstrcmpiW (lpString1="id", lpString2="Program Files") returned -1 [0091.068] lstrcmpiW (lpString1="id", lpString2="Program Files (x86)") returned -1 [0091.068] lstrcmpiW (lpString1="id", lpString2="$Recycle.bin") returned 1 [0091.068] lstrcmpiW (lpString1="id", lpString2="System Volume Information") returned -1 [0091.068] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id") returned 150 [0091.068] lstrcmpW (lpString1="id", lpString2=".") returned 1 [0091.068] lstrcmpW (lpString1="id", lpString2="..") returned 1 [0091.068] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*") returned 152 [0091.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.068] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.068] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.068] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.068] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.068] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.068] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\.") returned 152 [0091.068] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.068] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.068] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.068] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.069] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.069] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\..") returned 153 [0091.069] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.069] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.069] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.069] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.069] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.069] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.069] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.069] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.069] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0091.069] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.069] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.069] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.069] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0091.070] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0091.070] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0091.070] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.070] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.088] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.088] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.088] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.089] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.089] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.089] CloseHandle (hObject=0x200) returned 1 [0091.089] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.protected") returned 174 [0091.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.protected")) returned 1 [0091.090] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.090] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.090] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.091] lstrlenA (lpString="EMPTY") returned 5 [0091.091] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.091] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.092] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.092] CloseHandle (hObject=0x1fc) returned 1 [0091.092] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.092] lstrcmpiW (lpString1="it", lpString2="Windows") returned -1 [0091.092] lstrcmpiW (lpString1="it", lpString2="Program Files") returned -1 [0091.092] lstrcmpiW (lpString1="it", lpString2="Program Files (x86)") returned -1 [0091.092] lstrcmpiW (lpString1="it", lpString2="$Recycle.bin") returned 1 [0091.092] lstrcmpiW (lpString1="it", lpString2="System Volume Information") returned -1 [0091.092] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it") returned 150 [0091.092] lstrcmpW (lpString1="it", lpString2=".") returned 1 [0091.092] lstrcmpW (lpString1="it", lpString2="..") returned 1 [0091.092] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*") returned 152 [0091.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.092] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.092] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.092] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.093] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\.") returned 152 [0091.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.093] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.093] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\..") returned 153 [0091.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.093] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.093] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.093] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.093] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.093] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.093] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.093] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0091.093] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.093] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.093] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.093] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0091.094] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0091.094] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0091.094] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.094] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.131] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.131] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.131] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.131] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.132] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.132] CloseHandle (hObject=0x200) returned 1 [0091.132] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.protected") returned 174 [0091.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.protected")) returned 1 [0091.132] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.132] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.133] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.133] lstrlenA (lpString="EMPTY") returned 5 [0091.133] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.134] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.134] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.134] CloseHandle (hObject=0x1fc) returned 1 [0091.135] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.135] lstrcmpiW (lpString1="iw", lpString2="Windows") returned -1 [0091.135] lstrcmpiW (lpString1="iw", lpString2="Program Files") returned -1 [0091.135] lstrcmpiW (lpString1="iw", lpString2="Program Files (x86)") returned -1 [0091.135] lstrcmpiW (lpString1="iw", lpString2="$Recycle.bin") returned 1 [0091.135] lstrcmpiW (lpString1="iw", lpString2="System Volume Information") returned -1 [0091.135] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw") returned 150 [0091.135] lstrcmpW (lpString1="iw", lpString2=".") returned 1 [0091.135] lstrcmpW (lpString1="iw", lpString2="..") returned 1 [0091.135] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*") returned 152 [0091.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.136] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.136] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.136] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.136] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.136] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\.") returned 152 [0091.136] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.136] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.136] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.136] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.136] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\..") returned 153 [0091.136] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.136] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.136] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.136] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.136] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.136] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.136] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.136] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0091.136] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.136] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.136] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.136] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0091.137] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0091.137] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.137] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0091.137] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.137] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.139] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.139] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.139] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.139] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.139] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.139] CloseHandle (hObject=0x200) returned 1 [0091.139] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.protected") returned 174 [0091.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.protected")) returned 1 [0091.140] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.140] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.140] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.141] lstrlenA (lpString="EMPTY") returned 5 [0091.141] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.141] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.141] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.141] CloseHandle (hObject=0x1fc) returned 1 [0091.142] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.142] lstrcmpiW (lpString1="ja", lpString2="Windows") returned -1 [0091.142] lstrcmpiW (lpString1="ja", lpString2="Program Files") returned -1 [0091.142] lstrcmpiW (lpString1="ja", lpString2="Program Files (x86)") returned -1 [0091.142] lstrcmpiW (lpString1="ja", lpString2="$Recycle.bin") returned 1 [0091.142] lstrcmpiW (lpString1="ja", lpString2="System Volume Information") returned -1 [0091.142] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja") returned 150 [0091.142] lstrcmpW (lpString1="ja", lpString2=".") returned 1 [0091.142] lstrcmpW (lpString1="ja", lpString2="..") returned 1 [0091.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*") returned 152 [0091.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.142] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.142] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.142] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.142] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.142] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\.") returned 152 [0091.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.142] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.142] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.142] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.142] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.142] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.142] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\..") returned 153 [0091.142] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.142] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.142] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.142] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.142] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.142] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.142] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0091.143] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.143] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.143] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.143] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0091.144] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0091.144] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0091.144] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.144] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.182] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.183] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.183] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.183] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.191] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.191] CloseHandle (hObject=0x200) returned 1 [0091.191] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.protected") returned 174 [0091.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.protected")) returned 1 [0091.192] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.192] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.192] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.192] lstrlenA (lpString="EMPTY") returned 5 [0091.192] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.193] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.193] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.193] CloseHandle (hObject=0x1fc) returned 1 [0091.193] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.193] lstrcmpiW (lpString1="kn", lpString2="Windows") returned -1 [0091.193] lstrcmpiW (lpString1="kn", lpString2="Program Files") returned -1 [0091.193] lstrcmpiW (lpString1="kn", lpString2="Program Files (x86)") returned -1 [0091.193] lstrcmpiW (lpString1="kn", lpString2="$Recycle.bin") returned 1 [0091.193] lstrcmpiW (lpString1="kn", lpString2="System Volume Information") returned -1 [0091.193] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn") returned 150 [0091.193] lstrcmpW (lpString1="kn", lpString2=".") returned 1 [0091.193] lstrcmpW (lpString1="kn", lpString2="..") returned 1 [0091.193] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*") returned 152 [0091.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.194] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.194] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.194] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.194] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.194] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.194] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\.") returned 152 [0091.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.194] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.194] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.194] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.194] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.194] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.194] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.194] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\..") returned 153 [0091.194] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.194] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.194] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.194] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.194] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.194] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.194] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.194] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.194] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0091.194] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.194] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.194] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.194] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0091.195] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0091.195] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0091.195] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.195] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.232] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.232] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.232] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.232] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.232] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.232] CloseHandle (hObject=0x200) returned 1 [0091.232] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.protected") returned 174 [0091.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.protected")) returned 1 [0091.233] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.233] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.233] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.234] lstrlenA (lpString="EMPTY") returned 5 [0091.234] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.234] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.234] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.235] CloseHandle (hObject=0x1fc) returned 1 [0091.235] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.235] lstrcmpiW (lpString1="ko", lpString2="Windows") returned -1 [0091.235] lstrcmpiW (lpString1="ko", lpString2="Program Files") returned -1 [0091.235] lstrcmpiW (lpString1="ko", lpString2="Program Files (x86)") returned -1 [0091.235] lstrcmpiW (lpString1="ko", lpString2="$Recycle.bin") returned 1 [0091.235] lstrcmpiW (lpString1="ko", lpString2="System Volume Information") returned -1 [0091.235] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko") returned 150 [0091.235] lstrcmpW (lpString1="ko", lpString2=".") returned 1 [0091.235] lstrcmpW (lpString1="ko", lpString2="..") returned 1 [0091.235] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*") returned 152 [0091.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.235] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\.") returned 152 [0091.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.235] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.235] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\..") returned 153 [0091.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.235] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.235] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.235] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.235] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.235] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.235] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.235] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0091.236] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.236] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.236] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.236] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0091.236] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0091.236] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0091.236] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.236] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.238] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.238] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.238] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.238] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.238] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.238] CloseHandle (hObject=0x200) returned 1 [0091.238] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.protected") returned 174 [0091.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.protected")) returned 1 [0091.239] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.239] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.239] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.239] lstrlenA (lpString="EMPTY") returned 5 [0091.239] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.240] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.240] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.240] CloseHandle (hObject=0x1fc) returned 1 [0091.240] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.240] lstrcmpiW (lpString1="lt", lpString2="Windows") returned -1 [0091.240] lstrcmpiW (lpString1="lt", lpString2="Program Files") returned -1 [0091.240] lstrcmpiW (lpString1="lt", lpString2="Program Files (x86)") returned -1 [0091.240] lstrcmpiW (lpString1="lt", lpString2="$Recycle.bin") returned 1 [0091.240] lstrcmpiW (lpString1="lt", lpString2="System Volume Information") returned -1 [0091.240] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt") returned 150 [0091.240] lstrcmpW (lpString1="lt", lpString2=".") returned 1 [0091.240] lstrcmpW (lpString1="lt", lpString2="..") returned 1 [0091.240] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*") returned 152 [0091.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.241] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.241] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.241] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.241] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.241] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.241] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\.") returned 152 [0091.241] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.241] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.241] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.241] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.241] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.241] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.241] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.241] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\..") returned 153 [0091.241] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.241] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.241] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.241] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.241] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.241] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.241] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.241] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.241] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0091.241] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.241] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.241] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.241] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0091.242] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0091.242] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0091.242] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.242] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.243] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.243] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.244] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.244] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.244] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.244] CloseHandle (hObject=0x200) returned 1 [0091.244] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.protected") returned 174 [0091.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.protected")) returned 1 [0091.245] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.245] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.245] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.245] lstrlenA (lpString="EMPTY") returned 5 [0091.245] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.248] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.248] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.248] CloseHandle (hObject=0x1fc) returned 1 [0091.248] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.248] lstrcmpiW (lpString1="lv", lpString2="Windows") returned -1 [0091.248] lstrcmpiW (lpString1="lv", lpString2="Program Files") returned -1 [0091.248] lstrcmpiW (lpString1="lv", lpString2="Program Files (x86)") returned -1 [0091.248] lstrcmpiW (lpString1="lv", lpString2="$Recycle.bin") returned 1 [0091.248] lstrcmpiW (lpString1="lv", lpString2="System Volume Information") returned -1 [0091.248] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv") returned 150 [0091.248] lstrcmpW (lpString1="lv", lpString2=".") returned 1 [0091.249] lstrcmpW (lpString1="lv", lpString2="..") returned 1 [0091.249] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*") returned 152 [0091.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.249] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.249] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.249] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.249] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\.") returned 152 [0091.249] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.249] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.249] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\..") returned 153 [0091.249] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.249] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.249] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.249] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.249] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.249] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.249] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.249] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.249] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0091.249] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.249] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.249] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.249] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0091.250] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0091.250] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0091.250] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.250] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.317] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.317] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.317] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.317] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.333] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.333] CloseHandle (hObject=0x200) returned 1 [0091.333] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.protected") returned 174 [0091.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.protected")) returned 1 [0091.334] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.334] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.334] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.335] lstrlenA (lpString="EMPTY") returned 5 [0091.335] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.335] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.335] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.336] CloseHandle (hObject=0x1fc) returned 1 [0091.336] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.336] lstrcmpiW (lpString1="ml", lpString2="Windows") returned -1 [0091.336] lstrcmpiW (lpString1="ml", lpString2="Program Files") returned -1 [0091.336] lstrcmpiW (lpString1="ml", lpString2="Program Files (x86)") returned -1 [0091.336] lstrcmpiW (lpString1="ml", lpString2="$Recycle.bin") returned 1 [0091.336] lstrcmpiW (lpString1="ml", lpString2="System Volume Information") returned -1 [0091.336] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml") returned 150 [0091.336] lstrcmpW (lpString1="ml", lpString2=".") returned 1 [0091.336] lstrcmpW (lpString1="ml", lpString2="..") returned 1 [0091.336] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*") returned 152 [0091.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.336] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.336] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.336] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.336] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.336] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.336] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\.") returned 152 [0091.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.337] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.337] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.337] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.337] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.337] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.337] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.337] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\..") returned 153 [0091.337] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.337] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.337] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.337] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.337] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.337] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.337] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.337] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0091.337] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.337] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.337] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.337] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0091.338] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0091.338] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0091.339] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.339] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.379] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.379] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.379] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.379] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.418] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.418] CloseHandle (hObject=0x200) returned 1 [0091.419] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.protected") returned 174 [0091.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.protected")) returned 1 [0091.419] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.419] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.419] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.420] lstrlenA (lpString="EMPTY") returned 5 [0091.420] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.421] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.421] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.421] CloseHandle (hObject=0x1fc) returned 1 [0091.421] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.421] lstrcmpiW (lpString1="mr", lpString2="Windows") returned -1 [0091.421] lstrcmpiW (lpString1="mr", lpString2="Program Files") returned -1 [0091.421] lstrcmpiW (lpString1="mr", lpString2="Program Files (x86)") returned -1 [0091.421] lstrcmpiW (lpString1="mr", lpString2="$Recycle.bin") returned 1 [0091.421] lstrcmpiW (lpString1="mr", lpString2="System Volume Information") returned -1 [0091.421] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr") returned 150 [0091.421] lstrcmpW (lpString1="mr", lpString2=".") returned 1 [0091.421] lstrcmpW (lpString1="mr", lpString2="..") returned 1 [0091.421] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*") returned 152 [0091.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.421] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.421] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.421] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.421] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.421] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.421] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\.") returned 152 [0091.421] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.422] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.422] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.422] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.422] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.422] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.422] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.422] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\..") returned 153 [0091.422] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.422] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.422] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.422] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.422] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.422] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.422] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.422] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.422] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0091.422] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.422] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.422] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.422] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0091.422] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0091.423] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0091.423] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.423] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.425] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.425] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.425] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.425] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.425] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.425] CloseHandle (hObject=0x200) returned 1 [0091.425] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.protected") returned 174 [0091.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.protected")) returned 1 [0091.426] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.426] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.426] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.427] lstrlenA (lpString="EMPTY") returned 5 [0091.427] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.427] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.427] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.428] CloseHandle (hObject=0x1fc) returned 1 [0091.428] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.428] lstrcmpiW (lpString1="ms", lpString2="Windows") returned -1 [0091.428] lstrcmpiW (lpString1="ms", lpString2="Program Files") returned -1 [0091.428] lstrcmpiW (lpString1="ms", lpString2="Program Files (x86)") returned -1 [0091.428] lstrcmpiW (lpString1="ms", lpString2="$Recycle.bin") returned 1 [0091.428] lstrcmpiW (lpString1="ms", lpString2="System Volume Information") returned -1 [0091.428] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms") returned 150 [0091.428] lstrcmpW (lpString1="ms", lpString2=".") returned 1 [0091.428] lstrcmpW (lpString1="ms", lpString2="..") returned 1 [0091.428] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*") returned 152 [0091.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.428] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\.") returned 152 [0091.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.428] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.429] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.429] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.429] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.429] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.429] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\..") returned 153 [0091.429] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.429] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.429] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.429] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.429] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.429] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.429] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.429] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.429] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0091.429] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.429] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.429] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.429] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0091.430] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0091.430] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0091.430] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.430] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.478] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.478] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.478] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.478] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.478] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.478] CloseHandle (hObject=0x200) returned 1 [0091.479] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.protected") returned 174 [0091.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.protected")) returned 1 [0091.479] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.479] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.479] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.480] lstrlenA (lpString="EMPTY") returned 5 [0091.480] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.481] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.481] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.481] CloseHandle (hObject=0x1fc) returned 1 [0091.481] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.481] lstrcmpiW (lpString1="nb", lpString2="Windows") returned -1 [0091.481] lstrcmpiW (lpString1="nb", lpString2="Program Files") returned -1 [0091.481] lstrcmpiW (lpString1="nb", lpString2="Program Files (x86)") returned -1 [0091.481] lstrcmpiW (lpString1="nb", lpString2="$Recycle.bin") returned 1 [0091.481] lstrcmpiW (lpString1="nb", lpString2="System Volume Information") returned -1 [0091.481] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb") returned 150 [0091.481] lstrcmpW (lpString1="nb", lpString2=".") returned 1 [0091.481] lstrcmpW (lpString1="nb", lpString2="..") returned 1 [0091.481] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*") returned 152 [0091.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.481] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\.") returned 152 [0091.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.482] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.482] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\..") returned 153 [0091.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.482] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.482] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.482] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.482] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.482] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.482] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.482] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0091.482] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.482] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.482] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.482] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0091.483] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0091.483] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0091.483] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.483] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.485] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.485] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.485] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.485] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.485] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.485] CloseHandle (hObject=0x200) returned 1 [0091.485] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.protected") returned 174 [0091.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.protected")) returned 1 [0091.486] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.486] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.486] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.487] lstrlenA (lpString="EMPTY") returned 5 [0091.487] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.487] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.487] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.487] CloseHandle (hObject=0x1fc) returned 1 [0091.488] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.488] lstrcmpiW (lpString1="nl", lpString2="Windows") returned -1 [0091.488] lstrcmpiW (lpString1="nl", lpString2="Program Files") returned -1 [0091.488] lstrcmpiW (lpString1="nl", lpString2="Program Files (x86)") returned -1 [0091.488] lstrcmpiW (lpString1="nl", lpString2="$Recycle.bin") returned 1 [0091.488] lstrcmpiW (lpString1="nl", lpString2="System Volume Information") returned -1 [0091.488] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl") returned 150 [0091.488] lstrcmpW (lpString1="nl", lpString2=".") returned 1 [0091.488] lstrcmpW (lpString1="nl", lpString2="..") returned 1 [0091.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*") returned 152 [0091.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.488] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.488] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.488] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.488] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.488] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\.") returned 152 [0091.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.488] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.488] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.488] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.488] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.488] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.488] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\..") returned 153 [0091.488] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.488] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.488] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.488] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.488] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.488] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.488] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.488] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0091.489] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.489] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.489] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.489] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.490] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0091.490] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.490] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0091.490] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.490] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0091.490] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.490] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.491] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.491] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.491] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.491] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.491] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.492] CloseHandle (hObject=0x200) returned 1 [0091.492] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.protected") returned 174 [0091.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.protected")) returned 1 [0091.492] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.492] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.492] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.493] lstrlenA (lpString="EMPTY") returned 5 [0091.493] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.494] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.494] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.494] CloseHandle (hObject=0x1fc) returned 1 [0091.494] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.494] lstrcmpiW (lpString1="pl", lpString2="Windows") returned -1 [0091.494] lstrcmpiW (lpString1="pl", lpString2="Program Files") returned -1 [0091.494] lstrcmpiW (lpString1="pl", lpString2="Program Files (x86)") returned -1 [0091.494] lstrcmpiW (lpString1="pl", lpString2="$Recycle.bin") returned 1 [0091.494] lstrcmpiW (lpString1="pl", lpString2="System Volume Information") returned -1 [0091.494] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl") returned 150 [0091.494] lstrcmpW (lpString1="pl", lpString2=".") returned 1 [0091.494] lstrcmpW (lpString1="pl", lpString2="..") returned 1 [0091.494] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*") returned 152 [0091.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.494] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.494] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.494] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.494] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.494] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.494] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\.") returned 152 [0091.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.494] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.494] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.494] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.494] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.495] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.495] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\..") returned 153 [0091.495] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.495] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.495] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.495] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.495] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.495] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.495] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.495] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0091.495] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.495] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.495] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.495] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0091.495] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0091.495] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0091.495] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.496] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.497] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.497] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.497] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.497] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.498] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.498] CloseHandle (hObject=0x200) returned 1 [0091.498] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.protected") returned 174 [0091.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.protected")) returned 1 [0091.498] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.498] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.498] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.499] lstrlenA (lpString="EMPTY") returned 5 [0091.499] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.500] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.500] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.500] CloseHandle (hObject=0x1fc) returned 1 [0091.500] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.500] lstrcmpiW (lpString1="pt", lpString2="Windows") returned -1 [0091.500] lstrcmpiW (lpString1="pt", lpString2="Program Files") returned 1 [0091.500] lstrcmpiW (lpString1="pt", lpString2="Program Files (x86)") returned 1 [0091.500] lstrcmpiW (lpString1="pt", lpString2="$Recycle.bin") returned 1 [0091.500] lstrcmpiW (lpString1="pt", lpString2="System Volume Information") returned -1 [0091.500] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt") returned 150 [0091.500] lstrcmpW (lpString1="pt", lpString2=".") returned 1 [0091.500] lstrcmpW (lpString1="pt", lpString2="..") returned 1 [0091.500] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*") returned 152 [0091.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.500] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.500] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\.") returned 152 [0091.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.500] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.500] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.501] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\..") returned 153 [0091.501] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.501] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.501] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.501] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.501] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.501] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.501] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.501] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0091.501] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.501] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.501] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.501] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0091.502] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0091.502] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0091.502] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.502] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.503] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.503] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.503] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.504] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.504] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.504] CloseHandle (hObject=0x200) returned 1 [0091.504] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.protected") returned 174 [0091.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.protected")) returned 1 [0091.504] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.505] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.505] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.505] lstrlenA (lpString="EMPTY") returned 5 [0091.505] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.506] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.506] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.506] CloseHandle (hObject=0x1fc) returned 1 [0091.506] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.506] lstrcmpiW (lpString1="pt_BR", lpString2="Windows") returned -1 [0091.506] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files") returned 1 [0091.506] lstrcmpiW (lpString1="pt_BR", lpString2="Program Files (x86)") returned 1 [0091.506] lstrcmpiW (lpString1="pt_BR", lpString2="$Recycle.bin") returned 1 [0091.506] lstrcmpiW (lpString1="pt_BR", lpString2="System Volume Information") returned -1 [0091.506] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR") returned 153 [0091.506] lstrcmpW (lpString1="pt_BR", lpString2=".") returned 1 [0091.506] lstrcmpW (lpString1="pt_BR", lpString2="..") returned 1 [0091.506] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*") returned 155 [0091.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.506] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.506] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.506] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.506] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.506] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.506] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\.") returned 155 [0091.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.507] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.507] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.507] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.507] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\..") returned 156 [0091.507] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.507] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.507] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.507] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.507] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.507] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.507] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.507] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0091.507] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.507] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.507] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.507] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0091.507] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0091.507] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.507] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0091.507] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.508] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.512] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.512] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.512] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.512] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.512] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.512] CloseHandle (hObject=0x200) returned 1 [0091.513] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.protected") returned 177 [0091.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json.protected")) returned 1 [0091.513] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.513] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.513] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 183 [0091.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.514] lstrlenA (lpString="EMPTY") returned 5 [0091.514] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.515] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.515] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.515] CloseHandle (hObject=0x1fc) returned 1 [0091.515] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.515] lstrcmpiW (lpString1="pt_PT", lpString2="Windows") returned -1 [0091.515] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files") returned 1 [0091.515] lstrcmpiW (lpString1="pt_PT", lpString2="Program Files (x86)") returned 1 [0091.515] lstrcmpiW (lpString1="pt_PT", lpString2="$Recycle.bin") returned 1 [0091.515] lstrcmpiW (lpString1="pt_PT", lpString2="System Volume Information") returned -1 [0091.515] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT") returned 153 [0091.515] lstrcmpW (lpString1="pt_PT", lpString2=".") returned 1 [0091.515] lstrcmpW (lpString1="pt_PT", lpString2="..") returned 1 [0091.515] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*") returned 155 [0091.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.516] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.516] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.516] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.516] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.516] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\.") returned 155 [0091.516] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.516] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.516] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.516] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.516] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.516] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.516] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\..") returned 156 [0091.516] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.516] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.516] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.516] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.516] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.516] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.516] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.516] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0091.516] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.516] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.516] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.516] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0091.517] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0091.517] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0091.517] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.517] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.518] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.519] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.519] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.519] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.525] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.526] CloseHandle (hObject=0x200) returned 1 [0091.526] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.protected") returned 177 [0091.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json.protected")) returned 1 [0091.526] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.526] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.526] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 183 [0091.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.527] lstrlenA (lpString="EMPTY") returned 5 [0091.527] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.528] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.528] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.528] CloseHandle (hObject=0x1fc) returned 1 [0091.528] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.528] lstrcmpiW (lpString1="ro", lpString2="Windows") returned -1 [0091.528] lstrcmpiW (lpString1="ro", lpString2="Program Files") returned 1 [0091.528] lstrcmpiW (lpString1="ro", lpString2="Program Files (x86)") returned 1 [0091.528] lstrcmpiW (lpString1="ro", lpString2="$Recycle.bin") returned 1 [0091.528] lstrcmpiW (lpString1="ro", lpString2="System Volume Information") returned -1 [0091.528] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro") returned 150 [0091.528] lstrcmpW (lpString1="ro", lpString2=".") returned 1 [0091.528] lstrcmpW (lpString1="ro", lpString2="..") returned 1 [0091.528] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*") returned 152 [0091.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.528] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\.") returned 152 [0091.528] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.528] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.529] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.529] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.529] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.529] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.529] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\..") returned 153 [0091.529] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.529] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.529] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.529] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.529] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.529] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.529] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.529] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0091.529] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.529] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.529] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.529] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0091.529] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.529] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0091.529] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.530] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0091.530] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.530] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.531] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.531] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.531] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.531] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.532] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.532] CloseHandle (hObject=0x200) returned 1 [0091.532] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.protected") returned 174 [0091.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.protected")) returned 1 [0091.532] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.532] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.533] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.533] lstrlenA (lpString="EMPTY") returned 5 [0091.533] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.534] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.534] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.534] CloseHandle (hObject=0x1fc) returned 1 [0091.534] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.534] lstrcmpiW (lpString1="ru", lpString2="Windows") returned -1 [0091.534] lstrcmpiW (lpString1="ru", lpString2="Program Files") returned 1 [0091.534] lstrcmpiW (lpString1="ru", lpString2="Program Files (x86)") returned 1 [0091.534] lstrcmpiW (lpString1="ru", lpString2="$Recycle.bin") returned 1 [0091.534] lstrcmpiW (lpString1="ru", lpString2="System Volume Information") returned -1 [0091.534] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru") returned 150 [0091.534] lstrcmpW (lpString1="ru", lpString2=".") returned 1 [0091.534] lstrcmpW (lpString1="ru", lpString2="..") returned 1 [0091.534] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*") returned 152 [0091.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.535] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.535] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.535] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\.") returned 152 [0091.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.535] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\..") returned 153 [0091.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.535] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.535] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.535] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.535] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.535] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.535] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0091.535] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.535] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.535] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.535] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0091.543] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0091.543] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0091.543] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.543] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.545] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.545] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.545] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.545] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.545] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.546] CloseHandle (hObject=0x200) returned 1 [0091.546] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.protected") returned 174 [0091.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.protected")) returned 1 [0091.546] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.546] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.547] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.547] lstrlenA (lpString="EMPTY") returned 5 [0091.547] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.548] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.548] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.548] CloseHandle (hObject=0x1fc) returned 1 [0091.548] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.548] lstrcmpiW (lpString1="sk", lpString2="Windows") returned -1 [0091.548] lstrcmpiW (lpString1="sk", lpString2="Program Files") returned 1 [0091.548] lstrcmpiW (lpString1="sk", lpString2="Program Files (x86)") returned 1 [0091.548] lstrcmpiW (lpString1="sk", lpString2="$Recycle.bin") returned 1 [0091.548] lstrcmpiW (lpString1="sk", lpString2="System Volume Information") returned -1 [0091.548] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk") returned 150 [0091.548] lstrcmpW (lpString1="sk", lpString2=".") returned 1 [0091.548] lstrcmpW (lpString1="sk", lpString2="..") returned 1 [0091.548] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*") returned 152 [0091.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.548] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.548] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.548] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.548] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\.") returned 152 [0091.549] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.549] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.549] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.549] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.549] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.549] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.549] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.549] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\..") returned 153 [0091.549] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.549] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.549] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.549] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.549] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.549] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.549] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.549] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0091.549] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.549] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.549] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.549] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.550] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0091.550] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.550] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0091.550] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.550] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0091.550] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.550] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.551] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.551] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.551] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.551] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.552] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.552] CloseHandle (hObject=0x200) returned 1 [0091.552] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.protected") returned 174 [0091.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.protected")) returned 1 [0091.553] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.553] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.553] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.553] lstrlenA (lpString="EMPTY") returned 5 [0091.553] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.554] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.554] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.554] CloseHandle (hObject=0x1fc) returned 1 [0091.554] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.554] lstrcmpiW (lpString1="sl", lpString2="Windows") returned -1 [0091.554] lstrcmpiW (lpString1="sl", lpString2="Program Files") returned 1 [0091.554] lstrcmpiW (lpString1="sl", lpString2="Program Files (x86)") returned 1 [0091.554] lstrcmpiW (lpString1="sl", lpString2="$Recycle.bin") returned 1 [0091.554] lstrcmpiW (lpString1="sl", lpString2="System Volume Information") returned -1 [0091.554] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl") returned 150 [0091.555] lstrcmpW (lpString1="sl", lpString2=".") returned 1 [0091.555] lstrcmpW (lpString1="sl", lpString2="..") returned 1 [0091.555] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*") returned 152 [0091.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.555] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.555] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.555] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.555] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.555] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.555] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\.") returned 152 [0091.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.555] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.555] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.555] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.555] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.555] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.555] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.555] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\..") returned 153 [0091.555] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.555] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.555] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.555] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.555] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.555] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.555] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.555] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0091.555] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.555] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.555] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.556] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0091.557] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0091.557] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0091.557] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.557] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.565] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.565] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.565] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.565] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.581] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.581] CloseHandle (hObject=0x200) returned 1 [0091.581] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.protected") returned 174 [0091.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.protected")) returned 1 [0091.582] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.582] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.582] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.583] lstrlenA (lpString="EMPTY") returned 5 [0091.583] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.583] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.584] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.584] CloseHandle (hObject=0x1fc) returned 1 [0091.584] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.584] lstrcmpiW (lpString1="sr", lpString2="Windows") returned -1 [0091.584] lstrcmpiW (lpString1="sr", lpString2="Program Files") returned 1 [0091.584] lstrcmpiW (lpString1="sr", lpString2="Program Files (x86)") returned 1 [0091.584] lstrcmpiW (lpString1="sr", lpString2="$Recycle.bin") returned 1 [0091.584] lstrcmpiW (lpString1="sr", lpString2="System Volume Information") returned -1 [0091.584] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr") returned 150 [0091.584] lstrcmpW (lpString1="sr", lpString2=".") returned 1 [0091.584] lstrcmpW (lpString1="sr", lpString2="..") returned 1 [0091.584] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*") returned 152 [0091.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.584] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.584] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.584] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.584] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.584] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.584] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\.") returned 152 [0091.584] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.584] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.584] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.584] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.584] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.584] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.584] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\..") returned 153 [0091.585] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.585] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.585] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.585] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.585] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.585] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.585] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.585] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0091.585] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.585] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.585] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.585] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.585] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0091.585] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.585] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0091.585] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.585] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0091.585] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.585] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.586] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.586] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.587] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.587] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.587] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.587] CloseHandle (hObject=0x200) returned 1 [0091.587] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.protected") returned 174 [0091.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.protected")) returned 1 [0091.588] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.588] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.588] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.588] lstrlenA (lpString="EMPTY") returned 5 [0091.588] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.589] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.589] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.589] CloseHandle (hObject=0x1fc) returned 1 [0091.589] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.589] lstrcmpiW (lpString1="sv", lpString2="Windows") returned -1 [0091.589] lstrcmpiW (lpString1="sv", lpString2="Program Files") returned 1 [0091.589] lstrcmpiW (lpString1="sv", lpString2="Program Files (x86)") returned 1 [0091.589] lstrcmpiW (lpString1="sv", lpString2="$Recycle.bin") returned 1 [0091.589] lstrcmpiW (lpString1="sv", lpString2="System Volume Information") returned -1 [0091.589] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv") returned 150 [0091.589] lstrcmpW (lpString1="sv", lpString2=".") returned 1 [0091.589] lstrcmpW (lpString1="sv", lpString2="..") returned 1 [0091.590] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*") returned 152 [0091.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.592] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.592] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.592] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.592] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\.") returned 152 [0091.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.592] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.593] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.593] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.593] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.593] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.593] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\..") returned 153 [0091.593] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.593] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.593] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.593] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.593] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.593] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.593] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.593] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.593] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0091.593] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.593] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.593] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.593] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0091.594] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0091.594] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.594] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0091.594] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.594] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.595] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.595] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.595] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.595] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.596] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.596] CloseHandle (hObject=0x200) returned 1 [0091.596] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.protected") returned 174 [0091.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.protected")) returned 1 [0091.599] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.602] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.602] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.603] lstrlenA (lpString="EMPTY") returned 5 [0091.603] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.607] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.607] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.607] CloseHandle (hObject=0x1fc) returned 1 [0091.607] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.607] lstrcmpiW (lpString1="sw", lpString2="Windows") returned -1 [0091.607] lstrcmpiW (lpString1="sw", lpString2="Program Files") returned 1 [0091.607] lstrcmpiW (lpString1="sw", lpString2="Program Files (x86)") returned 1 [0091.607] lstrcmpiW (lpString1="sw", lpString2="$Recycle.bin") returned 1 [0091.607] lstrcmpiW (lpString1="sw", lpString2="System Volume Information") returned -1 [0091.607] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw") returned 150 [0091.607] lstrcmpW (lpString1="sw", lpString2=".") returned 1 [0091.607] lstrcmpW (lpString1="sw", lpString2="..") returned 1 [0091.607] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*") returned 152 [0091.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.608] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.608] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.608] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.608] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.608] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\.") returned 152 [0091.608] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.608] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.608] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\..") returned 153 [0091.608] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.610] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.610] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.610] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.610] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.610] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.611] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0091.611] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.611] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.611] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.611] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0091.611] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0091.611] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0091.611] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.611] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.612] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.612] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.613] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.613] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.613] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.613] CloseHandle (hObject=0x200) returned 1 [0091.613] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.protected") returned 174 [0091.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.protected")) returned 1 [0091.615] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.615] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.615] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.615] lstrlenA (lpString="EMPTY") returned 5 [0091.615] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.616] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.616] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.616] CloseHandle (hObject=0x1fc) returned 1 [0091.616] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.616] lstrcmpiW (lpString1="ta", lpString2="Windows") returned -1 [0091.616] lstrcmpiW (lpString1="ta", lpString2="Program Files") returned 1 [0091.616] lstrcmpiW (lpString1="ta", lpString2="Program Files (x86)") returned 1 [0091.616] lstrcmpiW (lpString1="ta", lpString2="$Recycle.bin") returned 1 [0091.616] lstrcmpiW (lpString1="ta", lpString2="System Volume Information") returned 1 [0091.616] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta") returned 150 [0091.616] lstrcmpW (lpString1="ta", lpString2=".") returned 1 [0091.616] lstrcmpW (lpString1="ta", lpString2="..") returned 1 [0091.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*") returned 152 [0091.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.617] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.617] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.617] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.617] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\.") returned 152 [0091.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.617] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.617] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.617] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.617] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.617] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.617] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\..") returned 153 [0091.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.617] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.617] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.617] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.617] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.617] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.617] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.617] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0091.617] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.617] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.617] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.617] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0091.618] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0091.618] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0091.618] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.618] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.619] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.619] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.620] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.620] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.620] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.620] CloseHandle (hObject=0x200) returned 1 [0091.620] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.protected") returned 174 [0091.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.protected")) returned 1 [0091.621] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.621] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.621] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.621] lstrlenA (lpString="EMPTY") returned 5 [0091.621] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.622] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.622] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.622] CloseHandle (hObject=0x1fc) returned 1 [0091.622] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.622] lstrcmpiW (lpString1="te", lpString2="Windows") returned -1 [0091.622] lstrcmpiW (lpString1="te", lpString2="Program Files") returned 1 [0091.622] lstrcmpiW (lpString1="te", lpString2="Program Files (x86)") returned 1 [0091.622] lstrcmpiW (lpString1="te", lpString2="$Recycle.bin") returned 1 [0091.622] lstrcmpiW (lpString1="te", lpString2="System Volume Information") returned 1 [0091.622] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te") returned 150 [0091.622] lstrcmpW (lpString1="te", lpString2=".") returned 1 [0091.622] lstrcmpW (lpString1="te", lpString2="..") returned 1 [0091.622] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*") returned 152 [0091.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\.") returned 152 [0091.623] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.623] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\..") returned 153 [0091.623] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.623] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.623] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.623] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.623] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.623] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.623] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.623] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0091.623] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.623] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.623] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.623] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0091.624] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0091.624] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0091.624] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.624] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.655] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.655] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.655] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.655] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.689] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.689] CloseHandle (hObject=0x200) returned 1 [0091.689] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.protected") returned 174 [0091.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.protected")) returned 1 [0091.690] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.690] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.690] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.690] lstrlenA (lpString="EMPTY") returned 5 [0091.690] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.691] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.691] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.691] CloseHandle (hObject=0x1fc) returned 1 [0091.691] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.691] lstrcmpiW (lpString1="th", lpString2="Windows") returned -1 [0091.691] lstrcmpiW (lpString1="th", lpString2="Program Files") returned 1 [0091.691] lstrcmpiW (lpString1="th", lpString2="Program Files (x86)") returned 1 [0091.691] lstrcmpiW (lpString1="th", lpString2="$Recycle.bin") returned 1 [0091.691] lstrcmpiW (lpString1="th", lpString2="System Volume Information") returned 1 [0091.691] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th") returned 150 [0091.691] lstrcmpW (lpString1="th", lpString2=".") returned 1 [0091.691] lstrcmpW (lpString1="th", lpString2="..") returned 1 [0091.691] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*") returned 152 [0091.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.692] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.692] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.692] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.692] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.692] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.692] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\.") returned 152 [0091.692] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.692] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.692] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.692] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.692] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.692] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.692] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.692] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\..") returned 153 [0091.692] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.692] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.692] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.692] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.692] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.692] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.692] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.692] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.692] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0091.692] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.692] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.692] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.692] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.693] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0091.693] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.693] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0091.709] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.709] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0091.709] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.709] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.725] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.725] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.725] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.725] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.726] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.726] CloseHandle (hObject=0x200) returned 1 [0091.726] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.protected") returned 174 [0091.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.protected")) returned 1 [0091.727] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.727] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.727] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.728] lstrlenA (lpString="EMPTY") returned 5 [0091.728] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.729] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.729] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.729] CloseHandle (hObject=0x1fc) returned 1 [0091.729] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.729] lstrcmpiW (lpString1="tr", lpString2="Windows") returned -1 [0091.729] lstrcmpiW (lpString1="tr", lpString2="Program Files") returned 1 [0091.729] lstrcmpiW (lpString1="tr", lpString2="Program Files (x86)") returned 1 [0091.729] lstrcmpiW (lpString1="tr", lpString2="$Recycle.bin") returned 1 [0091.729] lstrcmpiW (lpString1="tr", lpString2="System Volume Information") returned 1 [0091.729] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr") returned 150 [0091.729] lstrcmpW (lpString1="tr", lpString2=".") returned 1 [0091.729] lstrcmpW (lpString1="tr", lpString2="..") returned 1 [0091.729] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*") returned 152 [0091.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.730] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.730] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.730] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.730] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.730] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.730] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\.") returned 152 [0091.730] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.730] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.730] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.730] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.730] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.730] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.730] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.730] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\..") returned 153 [0091.730] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.730] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.730] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.730] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.730] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.730] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.730] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.730] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.730] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0091.730] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.730] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.730] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.730] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.731] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0091.731] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.731] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0091.731] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.731] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0091.731] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.731] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.732] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.732] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.733] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.733] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.733] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.733] CloseHandle (hObject=0x200) returned 1 [0091.733] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.protected") returned 174 [0091.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.protected")) returned 1 [0091.734] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.734] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.734] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.735] lstrlenA (lpString="EMPTY") returned 5 [0091.735] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.736] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.736] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.736] CloseHandle (hObject=0x1fc) returned 1 [0091.736] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.736] lstrcmpiW (lpString1="uk", lpString2="Windows") returned -1 [0091.736] lstrcmpiW (lpString1="uk", lpString2="Program Files") returned 1 [0091.736] lstrcmpiW (lpString1="uk", lpString2="Program Files (x86)") returned 1 [0091.736] lstrcmpiW (lpString1="uk", lpString2="$Recycle.bin") returned 1 [0091.736] lstrcmpiW (lpString1="uk", lpString2="System Volume Information") returned 1 [0091.736] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk") returned 150 [0091.736] lstrcmpW (lpString1="uk", lpString2=".") returned 1 [0091.736] lstrcmpW (lpString1="uk", lpString2="..") returned 1 [0091.736] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*") returned 152 [0091.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.737] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.737] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.737] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.737] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.737] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.737] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\.") returned 152 [0091.737] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.737] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.737] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.737] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.737] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.737] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.737] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.737] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\..") returned 153 [0091.737] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.737] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.737] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.737] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.737] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.737] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.737] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.737] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0091.737] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.737] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.737] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.737] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.738] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0091.738] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.738] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0091.738] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.738] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0091.738] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.738] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.740] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.740] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.740] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.740] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.741] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.741] CloseHandle (hObject=0x200) returned 1 [0091.741] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.protected") returned 174 [0091.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.protected")) returned 1 [0091.742] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.742] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.742] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.742] lstrlenA (lpString="EMPTY") returned 5 [0091.742] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.743] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.743] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.743] CloseHandle (hObject=0x1fc) returned 1 [0091.744] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.744] lstrcmpiW (lpString1="vi", lpString2="Windows") returned -1 [0091.744] lstrcmpiW (lpString1="vi", lpString2="Program Files") returned 1 [0091.744] lstrcmpiW (lpString1="vi", lpString2="Program Files (x86)") returned 1 [0091.744] lstrcmpiW (lpString1="vi", lpString2="$Recycle.bin") returned 1 [0091.744] lstrcmpiW (lpString1="vi", lpString2="System Volume Information") returned 1 [0091.744] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi") returned 150 [0091.744] lstrcmpW (lpString1="vi", lpString2=".") returned 1 [0091.744] lstrcmpW (lpString1="vi", lpString2="..") returned 1 [0091.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*") returned 152 [0091.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\.") returned 152 [0091.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.744] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.744] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\..") returned 153 [0091.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.745] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.745] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.745] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.745] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.745] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.745] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.745] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0091.745] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.745] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.745] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.745] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0091.745] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0091.745] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0091.745] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.745] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.747] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.747] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.747] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.747] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.748] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.748] CloseHandle (hObject=0x200) returned 1 [0091.748] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.protected") returned 174 [0091.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.protected")) returned 1 [0091.749] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.749] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.749] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.750] lstrlenA (lpString="EMPTY") returned 5 [0091.750] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.751] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.751] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.751] CloseHandle (hObject=0x1fc) returned 1 [0091.751] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.751] lstrcmpiW (lpString1="zh", lpString2="Windows") returned 1 [0091.751] lstrcmpiW (lpString1="zh", lpString2="Program Files") returned 1 [0091.751] lstrcmpiW (lpString1="zh", lpString2="Program Files (x86)") returned 1 [0091.751] lstrcmpiW (lpString1="zh", lpString2="$Recycle.bin") returned 1 [0091.751] lstrcmpiW (lpString1="zh", lpString2="System Volume Information") returned 1 [0091.751] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh") returned 150 [0091.751] lstrcmpW (lpString1="zh", lpString2=".") returned 1 [0091.751] lstrcmpW (lpString1="zh", lpString2="..") returned 1 [0091.751] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*") returned 152 [0091.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.751] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.751] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.751] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.751] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.751] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.752] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\.") returned 152 [0091.752] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.752] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.752] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.752] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.752] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.752] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.752] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.752] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\..") returned 153 [0091.752] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.752] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.752] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.752] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.752] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.752] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.752] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.752] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.752] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0091.752] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.752] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.752] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.752] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0091.753] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0091.753] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0091.753] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.753] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.754] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.754] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.755] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.755] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0091.755] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0091.755] CloseHandle (hObject=0x200) returned 1 [0091.756] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.protected") returned 174 [0091.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.protected")) returned 1 [0091.756] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0091.756] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0091.756] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 180 [0091.756] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0091.757] lstrlenA (lpString="EMPTY") returned 5 [0091.757] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0091.758] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0091.758] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.758] CloseHandle (hObject=0x1fc) returned 1 [0091.758] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0091.758] lstrcmpiW (lpString1="zh_TW", lpString2="Windows") returned 1 [0091.758] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files") returned 1 [0091.758] lstrcmpiW (lpString1="zh_TW", lpString2="Program Files (x86)") returned 1 [0091.758] lstrcmpiW (lpString1="zh_TW", lpString2="$Recycle.bin") returned 1 [0091.758] lstrcmpiW (lpString1="zh_TW", lpString2="System Volume Information") returned 1 [0091.758] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW") returned 153 [0091.758] lstrcmpW (lpString1="zh_TW", lpString2=".") returned 1 [0091.758] lstrcmpW (lpString1="zh_TW", lpString2="..") returned 1 [0091.758] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*") returned 155 [0091.758] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\*", lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0x5575f0 [0091.758] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.758] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0091.758] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0091.758] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.758] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.758] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\.") returned 155 [0091.758] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.758] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.758] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.758] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0091.758] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0091.759] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.759] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.759] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\..") returned 156 [0091.759] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.759] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.759] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 1 [0091.759] lstrcmpiW (lpString1="messages.json", lpString2="Windows") returned -1 [0091.759] lstrcmpiW (lpString1="messages.json", lpString2="Program Files") returned -1 [0091.759] lstrcmpiW (lpString1="messages.json", lpString2="Program Files (x86)") returned -1 [0091.759] lstrcmpiW (lpString1="messages.json", lpString2="$Recycle.bin") returned 1 [0091.759] lstrcmpiW (lpString1="messages.json", lpString2="System Volume Information") returned -1 [0091.759] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0091.759] StrStrIW (lpFirst="messages.json", lpSrch=".protected") returned 0x0 [0091.759] lstrcmpW (lpString1="messages.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0091.759] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed0f8 | out: pbBuffer=0x2ed0f8) returned 1 [0091.759] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed0ec*=0x30) returned 1 [0091.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x200 [0091.759] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0091.759] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0091.759] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0091.759] StrStrW (lpFirst="messages.json", lpSrch=".rar") returned 0x0 [0091.759] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0091.759] StrStrW (lpFirst="messages.json", lpSrch=".zip") returned 0x0 [0091.759] ReadFile (in: hFile=0x200, lpBuffer=0x621828, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesRead=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.946] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.946] WriteFile (in: hFile=0x200, lpBuffer=0x621828*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x621828*, lpNumberOfBytesWritten=0x2ed0c8*=0x2800, lpOverlapped=0x0) returned 1 [0091.946] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.946] WriteFile (in: hFile=0x200, lpBuffer=0x2ed0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x2ed0f4*, lpNumberOfBytesWritten=0x2ed0c8*=0x4, lpOverlapped=0x0) returned 1 [0092.011] WriteFile (in: hFile=0x200, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed0c8, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed0c8*=0x30, lpOverlapped=0x0) returned 1 [0092.011] CloseHandle (hObject=0x200) returned 1 [0092.011] wnsprintfW (in: pszDest=0x2e22178, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.protected") returned 177 [0092.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json.protected")) returned 1 [0092.012] FindNextFileW (in: hFindFile=0x5575f0, lpFindFileData=0x2ed158 | out: lpFindFileData=0x2ed158) returned 0 [0092.012] FindClose (in: hFindFile=0x5575f0 | out: hFindFile=0x5575f0) returned 1 [0092.012] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 183 [0092.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0092.013] lstrlenA (lpString="EMPTY") returned 5 [0092.013] WriteFile (in: hFile=0x1fc, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed0d4*=0x5, lpOverlapped=0x0) returned 1 [0092.013] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0092.013] WriteFile (in: hFile=0x1fc, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed0d4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed0d4*=0x2ac, lpOverlapped=0x0) returned 1 [0092.014] CloseHandle (hObject=0x1fc) returned 1 [0092.014] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0092.014] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0092.014] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 177 [0092.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0092.014] lstrlenA (lpString="EMPTY") returned 5 [0092.014] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0092.015] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0092.015] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0092.015] CloseHandle (hObject=0x1f8) returned 1 [0092.015] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 1 [0092.015] lstrcmpiW (lpString1="_metadata", lpString2="Windows") returned -1 [0092.015] lstrcmpiW (lpString1="_metadata", lpString2="Program Files") returned -1 [0092.015] lstrcmpiW (lpString1="_metadata", lpString2="Program Files (x86)") returned -1 [0092.015] lstrcmpiW (lpString1="_metadata", lpString2="$Recycle.bin") returned 1 [0092.015] lstrcmpiW (lpString1="_metadata", lpString2="System Volume Information") returned -1 [0092.015] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata") returned 148 [0092.015] lstrcmpW (lpString1="_metadata", lpString2=".") returned 1 [0092.015] lstrcmpW (lpString1="_metadata", lpString2="..") returned 1 [0092.015] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*") returned 150 [0092.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\*", lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0x5575b0 [0092.015] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.015] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0092.015] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0092.015] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.015] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.015] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\.") returned 150 [0092.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.015] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0092.016] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.016] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0092.016] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0092.016] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.016] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.016] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\..") returned 151 [0092.016] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.016] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.016] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0092.016] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Windows") returned -1 [0092.016] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files") returned -1 [0092.016] lstrcmpiW (lpString1="computed_hashes.json", lpString2="Program Files (x86)") returned -1 [0092.016] lstrcmpiW (lpString1="computed_hashes.json", lpString2="$Recycle.bin") returned 1 [0092.016] lstrcmpiW (lpString1="computed_hashes.json", lpString2="System Volume Information") returned -1 [0092.016] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0092.016] StrStrIW (lpFirst="computed_hashes.json", lpSrch=".protected") returned 0x0 [0092.016] lstrcmpW (lpString1="computed_hashes.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0092.016] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0092.016] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0092.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0092.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0092.016] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0092.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0092.016] StrStrW (lpFirst="computed_hashes.json", lpSrch=".rar") returned 0x0 [0092.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0092.016] StrStrW (lpFirst="computed_hashes.json", lpSrch=".zip") returned 0x0 [0092.016] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0092.225] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.226] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0092.226] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.226] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0092.284] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0092.284] CloseHandle (hObject=0x1fc) returned 1 [0092.284] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.protected") returned 179 [0092.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.protected")) returned 1 [0092.285] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 1 [0092.285] lstrcmpiW (lpString1="verified_contents.json", lpString2="Windows") returned -1 [0092.285] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files") returned 1 [0092.285] lstrcmpiW (lpString1="verified_contents.json", lpString2="Program Files (x86)") returned 1 [0092.285] lstrcmpiW (lpString1="verified_contents.json", lpString2="$Recycle.bin") returned 1 [0092.285] lstrcmpiW (lpString1="verified_contents.json", lpString2="System Volume Information") returned 1 [0092.285] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0092.285] StrStrIW (lpFirst="verified_contents.json", lpSrch=".protected") returned 0x0 [0092.285] lstrcmpW (lpString1="verified_contents.json", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned 1 [0092.285] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2ed3f0 | out: pbBuffer=0x2ed3f0) returned 1 [0092.285] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2ed3e4*=0x30) returned 1 [0092.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0092.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0092.286] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0092.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0092.286] StrStrW (lpFirst="verified_contents.json", lpSrch=".rar") returned 0x0 [0092.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0092.286] StrStrW (lpFirst="verified_contents.json", lpSrch=".zip") returned 0x0 [0092.286] ReadFile (in: hFile=0x1fc, lpBuffer=0x620820, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesRead=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0092.287] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.287] WriteFile (in: hFile=0x1fc, lpBuffer=0x620820*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x620820*, lpNumberOfBytesWritten=0x2ed3c0*=0x2800, lpOverlapped=0x0) returned 1 [0092.287] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.287] WriteFile (in: hFile=0x1fc, lpBuffer=0x2ed3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x2ed3ec*, lpNumberOfBytesWritten=0x2ed3c0*=0x4, lpOverlapped=0x0) returned 1 [0092.287] WriteFile (in: hFile=0x1fc, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2ed3c0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2ed3c0*=0x30, lpOverlapped=0x0) returned 1 [0092.288] CloseHandle (hObject=0x1fc) returned 1 [0092.288] wnsprintfW (in: pszDest=0x2e12130, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.protected") returned 181 [0092.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.protected")) returned 1 [0092.288] FindNextFileW (in: hFindFile=0x5575b0, lpFindFileData=0x2ed450 | out: lpFindFileData=0x2ed450) returned 0 [0092.288] FindClose (in: hFindFile=0x5575b0 | out: hFindFile=0x5575b0) returned 1 [0092.288] wnsprintfW (in: pszDest=0x2e020e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 178 [0092.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f8 [0092.357] lstrlenA (lpString="EMPTY") returned 5 [0092.357] WriteFile (in: hFile=0x1f8, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed3cc*=0x5, lpOverlapped=0x0) returned 1 [0092.358] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0092.358] WriteFile (in: hFile=0x1f8, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed3cc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0092.358] CloseHandle (hObject=0x1f8) returned 1 [0092.358] FindNextFileW (in: hFindFile=0x557570, lpFindFileData=0x2ed748 | out: lpFindFileData=0x2ed748) returned 0 [0092.358] FindClose (in: hFindFile=0x557570 | out: hFindFile=0x557570) returned 1 [0092.359] wnsprintfW (in: pszDest=0x5c7688, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 168 [0092.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0092.360] lstrlenA (lpString="EMPTY") returned 5 [0092.360] WriteFile (in: hFile=0x1f4, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed6c4*=0x5, lpOverlapped=0x0) returned 1 [0092.360] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0092.360] WriteFile (in: hFile=0x1f4, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed6c4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0092.361] CloseHandle (hObject=0x1f4) returned 1 [0092.361] FindNextFileW (in: hFindFile=0x557530, lpFindFileData=0x2eda40 | out: lpFindFileData=0x2eda40) returned 0 [0092.361] FindClose (in: hFindFile=0x557530 | out: hFindFile=0x557530) returned 1 [0092.361] wnsprintfW (in: pszDest=0x5b7640, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 153 [0092.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0092.361] lstrlenA (lpString="EMPTY") returned 5 [0092.361] WriteFile (in: hFile=0x1f0, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2ed9bc*=0x5, lpOverlapped=0x0) returned 1 [0092.362] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0092.362] WriteFile (in: hFile=0x1f0, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2ed9bc, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2ed9bc*=0x2ac, lpOverlapped=0x0) returned 1 [0092.362] CloseHandle (hObject=0x1f0) returned 1 [0092.362] FindNextFileW (in: hFindFile=0x5574f0, lpFindFileData=0x2edd38 | out: lpFindFileData=0x2edd38) returned 0 [0092.362] FindClose (in: hFindFile=0x5574f0 | out: hFindFile=0x5574f0) returned 1 [0092.363] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\HOW_TO_RESTORE_YOUR_FILES.txt") returned 120 [0092.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\HOW_TO_RESTORE_YOUR_FILES.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\how_to_restore_your_files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0092.363] lstrlenA (lpString="EMPTY") returned 5 [0092.363] WriteFile (in: hFile=0x1ec, lpBuffer=0xbf3104*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0xbf3104*, lpNumberOfBytesWritten=0x2edcb4*=0x5, lpOverlapped=0x0) returned 1 [0092.363] lstrlenA (lpString="x9sIj0UaNcTvPspGhQQWW1cFWQ58FBJvk+zY+pb6RvfY6A0MA243EiUl1Av5qlWyjE13nLZH/4FQtG12mnJHyOgYpFYmBD+x+1AO83cl3YImx608Y+LR3kcH4GQZ6+Z7u9Urk8F5DdEM7I/Z3I62QdlN0QNspTZQNgIQsHdT/UludmXoj5sZOnf+qNg48EQRCrq2yK8dvUoYZzLST/Fy5QgVP+hITxgzlUwUyAvk1srBe6gIu0xGiNN7BHEL7eGHkOjawNXk8+35zLlrcIYHHDpA/WqSjMexv8T+kfdMpuivbTKocDOOfhyHNUxMSmZueBE9V6NMBbTL+y4gXzgNy1+U4MBXsYhlxgqtSOdsxt1jvYfDIgKjqo5LF1Z8+DCT9qDoJEN7Dg+aBcC1uYhyn27iu9rOGJx2bLZN8D/llmmKYYLW80pwtEIvTdUmR9B1fm1ZDAANgmkPlMroNqfgzL9xZz1b0/eky799tMlWblh5ADQa6b6ZDF1wGJjUeN4FksTIxm1Q9locdiyARXOngG6OaMjX5r8bCMhIIAhQKxAQfFCJKbc0nJoF/GrnpaVEeAoT2Lxk3PfajPck0yPZqvOuoUqbnlNhNgoLzjNCq/ZfcOmTANmclcrnKrAcmixegbTCiUTUZR3FiZIvGI1PY3dv+v/0W3kbIW+kIL6/taQ=") returned 684 [0092.363] WriteFile (in: hFile=0x1ec, lpBuffer=0x568728*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x2edcb4, lpOverlapped=0x0 | out: lpBuffer=0x568728*, lpNumberOfBytesWritten=0x2edcb4*=0x2ac, lpOverlapped=0x0) returned 1 [0092.364] CloseHandle (hObject=0x1ec) returned 1 [0092.364] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0092.364] lstrcmpiW (lpString1="Favicons", lpString2="Windows") returned -1 [0092.364] lstrcmpiW (lpString1="Favicons", lpString2="Program Files") returned -1 [0092.364] lstrcmpiW (lpString1="Favicons", lpString2="Program Files (x86)") returned -1 [0092.364] lstrcmpiW (lpString1="Favicons", lpString2="$Recycle.bin") returned 1 [0092.364] lstrcmpiW (lpString1="Favicons", lpString2="System Volume Information") returned -1 [0092.364] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0092.364] StrStrIW (lpFirst="Favicons", lpSrch=".protected") returned 0x0 [0092.364] lstrcmpW (lpString1="Favicons", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0092.364] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0092.364] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0092.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0092.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0092.364] StrStrW (lpFirst="Favicons", lpSrch=".txt") returned 0x0 [0092.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0092.364] StrStrW (lpFirst="Favicons", lpSrch=".rar") returned 0x0 [0092.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0092.364] StrStrW (lpFirst="Favicons", lpSrch=".zip") returned 0x0 [0092.364] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x2800, lpOverlapped=0x0) returned 1 [0092.432] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.433] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x2800, lpOverlapped=0x0) returned 1 [0092.434] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.434] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0092.434] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0092.434] CloseHandle (hObject=0x1ec) returned 1 [0092.435] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.protected") returned 98 [0092.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons.protected")) returned 1 [0092.435] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0092.435] lstrcmpiW (lpString1="Favicons-journal", lpString2="Windows") returned -1 [0092.435] lstrcmpiW (lpString1="Favicons-journal", lpString2="Program Files") returned -1 [0092.435] lstrcmpiW (lpString1="Favicons-journal", lpString2="Program Files (x86)") returned -1 [0092.435] lstrcmpiW (lpString1="Favicons-journal", lpString2="$Recycle.bin") returned 1 [0092.435] lstrcmpiW (lpString1="Favicons-journal", lpString2="System Volume Information") returned -1 [0092.435] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0092.435] StrStrIW (lpFirst="Favicons-journal", lpSrch=".protected") returned 0x0 [0092.435] lstrcmpW (lpString1="Favicons-journal", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0092.435] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0092.436] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0092.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0092.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0092.436] StrStrW (lpFirst="Favicons-journal", lpSrch=".txt") returned 0x0 [0092.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0092.436] StrStrW (lpFirst="Favicons-journal", lpSrch=".rar") returned 0x0 [0092.436] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0092.436] StrStrW (lpFirst="Favicons-journal", lpSrch=".zip") returned 0x0 [0092.436] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x0, lpOverlapped=0x0) returned 1 [0092.436] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.436] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x0, lpOverlapped=0x0) returned 1 [0092.437] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.437] WriteFile (in: hFile=0x1ec, lpBuffer=0x2edfcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x2edfcc*, lpNumberOfBytesWritten=0x2edfa0*=0x4, lpOverlapped=0x0) returned 1 [0092.437] WriteFile (in: hFile=0x1ec, lpBuffer=0x5d76e8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x5d76e8*, lpNumberOfBytesWritten=0x2edfa0*=0x30, lpOverlapped=0x0) returned 1 [0092.438] CloseHandle (hObject=0x1ec) returned 1 [0092.438] wnsprintfW (in: pszDest=0x5a75f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal.protected") returned 106 [0092.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal.protected" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal.protected")) returned 1 [0092.439] FindNextFileW (in: hFindFile=0x5574b0, lpFindFileData=0x2ee030 | out: lpFindFileData=0x2ee030) returned 1 [0092.439] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Windows") returned -1 [0092.439] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Program Files") returned -1 [0092.439] lstrcmpiW (lpString1="Google Profile.ico", lpString2="Program Files (x86)") returned -1 [0092.439] lstrcmpiW (lpString1="Google Profile.ico", lpString2="$Recycle.bin") returned 1 [0092.439] lstrcmpiW (lpString1="Google Profile.ico", lpString2="System Volume Information") returned -1 [0092.439] wnsprintfW (in: pszDest=0x2df0090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0092.439] StrStrIW (lpFirst="Google Profile.ico", lpSrch=".protected") returned 0x0 [0092.439] lstrcmpW (lpString1="Google Profile.ico", lpString2="HOW_TO_RESTORE_YOUR_FILES.txt") returned -1 [0092.439] CryptGenRandom (in: hProv=0x563da0, dwLen=0x20, pbBuffer=0x2edfd0 | out: pbBuffer=0x2edfd0) returned 1 [0092.439] CryptEncrypt (in: hKey=0x557130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x20, dwBufLen=0x30 | out: pbData=0x5d76e8*, pdwDataLen=0x2edfc4*=0x30) returned 1 [0092.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0092.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0092.439] StrStrW (lpFirst="Google Profile.ico", lpSrch=".txt") returned 0x0 [0092.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0092.439] StrStrW (lpFirst="Google Profile.ico", lpSrch=".rar") returned 0x0 [0092.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0092.439] StrStrW (lpFirst="Google Profile.ico", lpSrch=".zip") returned 0x0 [0092.439] ReadFile (in: hFile=0x1ec, lpBuffer=0x61d808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesRead=0x2edfa0*=0x2800, lpOverlapped=0x0) returned 1 [0092.573] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.573] WriteFile (in: hFile=0x1ec, lpBuffer=0x61d808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0 | out: lpBuffer=0x61d808*, lpNumberOfBytesWritten=0x2edfa0*=0x2800, lpOverlapped=0x0) returned 1 [0092.574] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.574] WriteFile (hFile=0x1ec, lpBuffer=0x2edfcc, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2edfa0, lpOverlapped=0x0) Thread: id = 2 os_tid = 0x680 Thread: id = 3 os_tid = 0x380 Thread: id = 4 os_tid = 0x180 Thread: id = 5 os_tid = 0x6b8 Thread: id = 48 os_tid = 0x718 Process: id = "2" image_name = "dllhost.exe" filename = "c:\\windows\\syswow64\\dllhost.exe" page_root = "0x4ee14000" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x738" cmd_line = "C:\\Windows\\SysWOW64\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 219 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 220 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 221 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 222 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 223 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 224 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 225 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 226 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 227 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 228 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 229 start_va = 0x170000 end_va = 0x174fff entry_point = 0x170000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\SysWOW64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe") Region: id = 230 start_va = 0x180000 end_va = 0x1e6fff entry_point = 0x180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 231 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 232 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 233 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 234 start_va = 0x420000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 235 start_va = 0x5b0000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 236 start_va = 0x740000 end_va = 0x1b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 237 start_va = 0x1b40000 end_va = 0x1b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 238 start_va = 0x1b80000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 239 start_va = 0x1be0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 240 start_va = 0x1c40000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 241 start_va = 0x1cb0000 end_va = 0x1ceffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 242 start_va = 0x1cf0000 end_va = 0x1d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 243 start_va = 0x1da0000 end_va = 0x1ddffff entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 244 start_va = 0x1de0000 end_va = 0x20aefff entry_point = 0x1de0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 245 start_va = 0x2110000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 246 start_va = 0x2150000 end_va = 0x222efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002150000" filename = "" Region: id = 247 start_va = 0x2240000 end_va = 0x227ffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 248 start_va = 0x22d0000 end_va = 0x230ffff entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Region: id = 249 start_va = 0x74ef0000 end_va = 0x74f6ffff entry_point = 0x74ef0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 250 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 251 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 252 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 253 start_va = 0x75260000 end_va = 0x7526bfff entry_point = 0x75260000 region_type = mapped_file name = "cmlua.dll" filename = "\\Windows\\SysWOW64\\cmlua.dll" (normalized: "c:\\windows\\syswow64\\cmlua.dll") Region: id = 254 start_va = 0x75270000 end_va = 0x75278fff entry_point = 0x75270000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 255 start_va = 0x75280000 end_va = 0x7528dfff entry_point = 0x75280000 region_type = mapped_file name = "cmutil.dll" filename = "\\Windows\\SysWOW64\\cmutil.dll" (normalized: "c:\\windows\\syswow64\\cmutil.dll") Region: id = 256 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "cmstplua.dll" filename = "\\Windows\\SysWOW64\\cmstplua.dll" (normalized: "c:\\windows\\syswow64\\cmstplua.dll") Region: id = 257 start_va = 0x752a0000 end_va = 0x752adfff entry_point = 0x752a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 258 start_va = 0x752b0000 end_va = 0x752eafff entry_point = 0x752b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 259 start_va = 0x752f0000 end_va = 0x75305fff entry_point = 0x752f0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 260 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 261 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 262 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 263 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 264 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 265 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 266 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 267 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 268 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 269 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 270 start_va = 0x76c60000 end_va = 0x76ce2fff entry_point = 0x76c60000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 271 start_va = 0x76e30000 end_va = 0x76f8bfff entry_point = 0x76e30000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 272 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 273 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 274 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 275 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 276 start_va = 0x774c0000 end_va = 0x7754efff entry_point = 0x774c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 277 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 278 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 279 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 280 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 281 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 282 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 283 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 284 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 285 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 286 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 287 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 288 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 289 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 290 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 291 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 292 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 293 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 294 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 295 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 296 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 297 start_va = 0x20b0000 end_va = 0x20effff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 298 start_va = 0x2360000 end_va = 0x239ffff entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 299 start_va = 0x75160000 end_va = 0x75254fff entry_point = 0x75160000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 300 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 301 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 302 start_va = 0x74d30000 end_va = 0x74ecdfff entry_point = 0x74d30000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 303 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 304 start_va = 0x75130000 end_va = 0x75150fff entry_point = 0x75130000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 305 start_va = 0x75c70000 end_va = 0x75cb4fff entry_point = 0x75c70000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 306 start_va = 0x150000 end_va = 0x16efff entry_point = 0x150000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db") Region: id = 307 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 308 start_va = 0x75120000 end_va = 0x7512afff entry_point = 0x75120000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 309 start_va = 0xf0000 end_va = 0xf6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 310 start_va = 0x200000 end_va = 0x201fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 311 start_va = 0x23a0000 end_va = 0x249ffff entry_point = 0x0 region_type = private name = "private_0x00000000023a0000" filename = "" Region: id = 312 start_va = 0x24a0000 end_va = 0x2892fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024a0000" filename = "" Region: id = 313 start_va = 0x750d0000 end_va = 0x7511bfff entry_point = 0x750d0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 314 start_va = 0x2d0000 end_va = 0x2d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 315 start_va = 0x74840000 end_va = 0x7486afff entry_point = 0x74840000 region_type = mapped_file name = "atl90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\\ATL90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\\atl90.dll") Region: id = 316 start_va = 0x74870000 end_va = 0x74912fff entry_point = 0x74870000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll") Region: id = 317 start_va = 0x74920000 end_va = 0x74d28fff entry_point = 0x74920000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~2\\MICROS~1\\Office14\\GROOVEEX.DLL" (normalized: "c:\\progra~2\\micros~1\\office14\\grooveex.dll") Region: id = 318 start_va = 0x75040000 end_va = 0x750cdfff entry_point = 0x75040000 region_type = mapped_file name = "msvcp90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcp90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcp90.dll") Region: id = 319 start_va = 0x2e0000 end_va = 0x2e3fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 320 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 321 start_va = 0x300000 end_va = 0x317fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 322 start_va = 0x1bc0000 end_va = 0x1bcffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 323 start_va = 0x1bd0000 end_va = 0x1bd0fff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 324 start_va = 0x1c20000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 325 start_va = 0x1c30000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 326 start_va = 0x1c80000 end_va = 0x1c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 327 start_va = 0x1c90000 end_va = 0x1c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 328 start_va = 0x1ca0000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 329 start_va = 0x1d30000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 330 start_va = 0x1d40000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 331 start_va = 0x1d50000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 332 start_va = 0x1d60000 end_va = 0x1d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 333 start_va = 0x1d70000 end_va = 0x1d73fff entry_point = 0x1d70000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 334 start_va = 0x1d80000 end_va = 0x1d83fff entry_point = 0x1d80000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 335 start_va = 0x2280000 end_va = 0x22affff entry_point = 0x2280000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 336 start_va = 0x28a0000 end_va = 0x2905fff entry_point = 0x28a0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 337 start_va = 0x2970000 end_va = 0x297ffff entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 338 start_va = 0x2b50000 end_va = 0x2b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 339 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 340 start_va = 0x75c60000 end_va = 0x75c6bfff entry_point = 0x75c60000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 341 start_va = 0x76930000 end_va = 0x76b2afff entry_point = 0x76930000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 342 start_va = 0x76cf0000 end_va = 0x76e25fff entry_point = 0x76cf0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 343 start_va = 0x77040000 end_va = 0x77134fff entry_point = 0x77040000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 344 start_va = 0x1d90000 end_va = 0x1d90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d90000" filename = "" Region: id = 345 start_va = 0x75840000 end_va = 0x759dcfff entry_point = 0x75840000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 346 start_va = 0x75c30000 end_va = 0x75c56fff entry_point = 0x75c30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 347 start_va = 0x76910000 end_va = 0x76921fff entry_point = 0x76910000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Thread: id = 6 os_tid = 0x750 Thread: id = 7 os_tid = 0x344 Thread: id = 8 os_tid = 0x7ec Thread: id = 9 os_tid = 0x7d8 Thread: id = 10 os_tid = 0x3c8 Thread: id = 11 os_tid = 0x6ec Thread: id = 12 os_tid = 0x574 Thread: id = 13 os_tid = 0x6fc Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4e79c000" os_pid = "0x678" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x40c" cmd_line = "\"C:\\Windows\\sysnative\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 348 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 349 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 350 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 351 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 352 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 353 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 354 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 355 start_va = 0x7fffe000 end_va = 0x7fffefff entry_point = 0x0 region_type = private name = "private_0x000000007fffe000" filename = "" Region: id = 356 start_va = 0xff150000 end_va = 0xff17cfff entry_point = 0xff150000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 357 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 358 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 359 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 360 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 361 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 362 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 363 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 364 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 365 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 366 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 367 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 368 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 369 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 370 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 371 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 372 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 373 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 374 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 375 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 376 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 377 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 378 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 379 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 380 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 381 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 382 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 383 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 384 start_va = 0x440000 end_va = 0x5c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 385 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 386 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 387 start_va = 0x1d0000 end_va = 0x1d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 388 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 389 start_va = 0x270000 end_va = 0x27cfff entry_point = 0x270000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 390 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 391 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 392 start_va = 0x5d0000 end_va = 0x750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 393 start_va = 0x760000 end_va = 0x1b5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 394 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 395 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 396 start_va = 0x1cf0000 end_va = 0x1d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 397 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 398 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 399 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 400 start_va = 0x1c50000 end_va = 0x1ccffff entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 401 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 402 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 403 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 404 start_va = 0x1d70000 end_va = 0x203efff entry_point = 0x1d70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 405 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 406 start_va = 0x1bd0000 end_va = 0x1c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 407 start_va = 0x2130000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 408 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 409 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 410 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Thread: id = 14 os_tid = 0x128 Thread: id = 15 os_tid = 0x79c Thread: id = 16 os_tid = 0x63c Thread: id = 17 os_tid = 0x518 Thread: id = 18 os_tid = 0x790 Process: id = "4" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4e9f8000" os_pid = "0x658" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x678" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00048834" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 411 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 412 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 413 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 414 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 415 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 416 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 417 start_va = 0xd0000 end_va = 0xe0fff entry_point = 0xd0000 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 418 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 419 start_va = 0x100000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 420 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 421 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 422 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 423 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 424 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 425 start_va = 0x410000 end_va = 0x597fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 426 start_va = 0x5a0000 end_va = 0x720fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 427 start_va = 0x730000 end_va = 0x7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 428 start_va = 0x7f0000 end_va = 0xbe2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 429 start_va = 0xbf0000 end_va = 0xc6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 430 start_va = 0xc70000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 431 start_va = 0xcf0000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 432 start_va = 0xd80000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 433 start_va = 0xe00000 end_va = 0x10cefff entry_point = 0xe00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 434 start_va = 0x1230000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 435 start_va = 0x13a0000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 436 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 437 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 438 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 439 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 440 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 441 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 442 start_va = 0xff830000 end_va = 0xff9bafff entry_point = 0xff830000 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 443 start_va = 0x7fef7230000 end_va = 0x7fef7248fff entry_point = 0x7fef7230000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 444 start_va = 0x7fef7250000 end_va = 0x7fef729ffff entry_point = 0x7fef7250000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 445 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 446 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 447 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 448 start_va = 0x7fef9040000 end_va = 0x7fef9053fff entry_point = 0x7fef9040000 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 449 start_va = 0x7fef9060000 end_va = 0x7fef9068fff entry_point = 0x7fef9060000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 450 start_va = 0x7fef9070000 end_va = 0x7fef9079fff entry_point = 0x7fef9070000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 451 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 452 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 453 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 454 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 455 start_va = 0x7fefb8e0000 end_va = 0x7fefb8f5fff entry_point = 0x7fefb8e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 456 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 457 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 458 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 459 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 460 start_va = 0x7fefd340000 end_va = 0x7fefd353fff entry_point = 0x7fefd340000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 461 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 462 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 463 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 464 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 465 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 466 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 467 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 468 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 469 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 470 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 471 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 472 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 473 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 474 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 475 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 476 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 477 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 478 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 479 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 480 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 481 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 482 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 483 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 484 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 485 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 486 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 487 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 488 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 489 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 490 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 491 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 492 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 493 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 625 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 626 start_va = 0x7fef4690000 end_va = 0x7fef4714fff entry_point = 0x7fef4690000 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 627 start_va = 0x7fef9030000 end_va = 0x7fef903bfff entry_point = 0x7fef9030000 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Thread: id = 19 os_tid = 0x54c Thread: id = 20 os_tid = 0x37c Thread: id = 21 os_tid = 0x5ac Thread: id = 22 os_tid = 0x5d4 Thread: id = 23 os_tid = 0x428 Thread: id = 24 os_tid = 0x44c Thread: id = 25 os_tid = 0x67c Thread: id = 40 os_tid = 0x5bc Thread: id = 47 os_tid = 0x308 Thread: id = 50 os_tid = 0x820 Thread: id = 73 os_tid = 0xa60 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x18692000" os_pid = "0xf0" os_integrity_level = "0x4000" os_privileges = "0x60801000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x658" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ddc8" [0xc000000f], "LOCAL" [0x7] Region: id = 494 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 495 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 496 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 497 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 498 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 499 start_va = 0xc0000 end_va = 0x17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 500 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 501 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 502 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 503 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 504 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 505 start_va = 0x240000 end_va = 0x250fff entry_point = 0x240000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 506 start_va = 0x260000 end_va = 0x263fff entry_point = 0x260000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 507 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 508 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 509 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 510 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 511 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 512 start_va = 0x4a0000 end_va = 0x627fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 513 start_va = 0x630000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 514 start_va = 0x7c0000 end_va = 0xbb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 515 start_va = 0xbc0000 end_va = 0xbc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 516 start_va = 0xc20000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 517 start_va = 0xd00000 end_va = 0xd7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 518 start_va = 0xe70000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 519 start_va = 0xef0000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 520 start_va = 0xf70000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 521 start_va = 0x1080000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 522 start_va = 0x10a0000 end_va = 0x136efff entry_point = 0x10a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 523 start_va = 0x1370000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 524 start_va = 0x1470000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 525 start_va = 0x1600000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 526 start_va = 0x16b0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 527 start_va = 0x1790000 end_va = 0x180ffff entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 528 start_va = 0x1870000 end_va = 0x18effff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 529 start_va = 0x1930000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 530 start_va = 0x1960000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 531 start_va = 0x1aa0000 end_va = 0x1b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 532 start_va = 0x1bb0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 533 start_va = 0x1bc0000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 534 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 535 start_va = 0x1cc0000 end_va = 0x1d7ffff entry_point = 0x1cc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 536 start_va = 0x1db0000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 537 start_va = 0x1e70000 end_va = 0x1eeffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 538 start_va = 0x1f30000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 539 start_va = 0x1fb0000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 540 start_va = 0x2420000 end_va = 0x249ffff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 541 start_va = 0x73f90000 end_va = 0x73f92fff entry_point = 0x73f90000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 542 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 543 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 544 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 545 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 546 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 547 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 548 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 549 start_va = 0x7fef4b90000 end_va = 0x7fef4ba7fff entry_point = 0x7fef4b90000 region_type = mapped_file name = "vmictimeprovider.dll" filename = "\\Windows\\System32\\vmictimeprovider.dll" (normalized: "c:\\windows\\system32\\vmictimeprovider.dll") Region: id = 550 start_va = 0x7fef4bb0000 end_va = 0x7fef4c0ffff entry_point = 0x7fef4bb0000 region_type = mapped_file name = "w32time.dll" filename = "\\Windows\\System32\\w32time.dll" (normalized: "c:\\windows\\system32\\w32time.dll") Region: id = 551 start_va = 0x7fef69e0000 end_va = 0x7fef69ebfff entry_point = 0x7fef69e0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 552 start_va = 0x7fef6a30000 end_va = 0x7fef6b07fff entry_point = 0x7fef6a30000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 553 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 554 start_va = 0x7fef6d70000 end_va = 0x7fef6de3fff entry_point = 0x7fef6d70000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 555 start_va = 0x7fef7b60000 end_va = 0x7fef7b78fff entry_point = 0x7fef7b60000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 556 start_va = 0x7fef7b80000 end_va = 0x7fef7b8ffff entry_point = 0x7fef7b80000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 557 start_va = 0x7fef7b90000 end_va = 0x7fef7ba1fff entry_point = 0x7fef7b90000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 558 start_va = 0x7fef7d00000 end_va = 0x7fef7d63fff entry_point = 0x7fef7d00000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 559 start_va = 0x7fef7d70000 end_va = 0x7fef7de0fff entry_point = 0x7fef7d70000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 560 start_va = 0x7fef8860000 end_va = 0x7fef88dbfff entry_point = 0x7fef8860000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 561 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 562 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 563 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 564 start_va = 0x7fefb110000 end_va = 0x7fefb119fff entry_point = 0x7fefb110000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 565 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 566 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 567 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 568 start_va = 0x7fefb240000 end_va = 0x7fefb24bfff entry_point = 0x7fefb240000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 569 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 570 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 571 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 572 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 573 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 574 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 575 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 576 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 577 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 578 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 579 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 580 start_va = 0x7fefce90000 end_va = 0x7fefcebffff entry_point = 0x7fefce90000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 581 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 582 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 583 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 584 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 585 start_va = 0x7fefd340000 end_va = 0x7fefd353fff entry_point = 0x7fefd340000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 586 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 587 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 588 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 589 start_va = 0x7fefd6b0000 end_va = 0x7fefd740fff entry_point = 0x7fefd6b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 590 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 591 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 592 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 593 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 594 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 595 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 596 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 597 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 598 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 599 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 600 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 601 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 602 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 603 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 604 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 605 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 606 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 607 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 608 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 609 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 610 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 611 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 612 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 613 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 614 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 615 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 616 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 617 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 618 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 619 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 620 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 621 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 622 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 623 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 624 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 26 os_tid = 0x5fc Thread: id = 27 os_tid = 0x66c Thread: id = 28 os_tid = 0x7ac Thread: id = 29 os_tid = 0x7a8 Thread: id = 30 os_tid = 0x780 Thread: id = 31 os_tid = 0x77c Thread: id = 32 os_tid = 0x758 Thread: id = 33 os_tid = 0x754 Thread: id = 34 os_tid = 0x61c Thread: id = 35 os_tid = 0x158 Thread: id = 36 os_tid = 0x154 Thread: id = 37 os_tid = 0x130 Thread: id = 38 os_tid = 0x12c Thread: id = 39 os_tid = 0x11c Thread: id = 49 os_tid = 0x244 Thread: id = 52 os_tid = 0x924 Thread: id = 53 os_tid = 0x9d0 Thread: id = 71 os_tid = 0xa50 Thread: id = 77 os_tid = 0xb10 Thread: id = 78 os_tid = 0xb18 Thread: id = 79 os_tid = 0xb1c Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4e8fd000" os_pid = "0x72c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x658" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00048b8f" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 632 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 633 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 634 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 635 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 636 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 637 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 638 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 639 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 640 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 641 start_va = 0x100000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 642 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 643 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 644 start_va = 0x390000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 645 start_va = 0x4b0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 646 start_va = 0x530000 end_va = 0x5effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 647 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 648 start_va = 0x790000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 649 start_va = 0x810000 end_va = 0xadefff entry_point = 0x810000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 650 start_va = 0xae0000 end_va = 0xc67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 651 start_va = 0xc70000 end_va = 0xdf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 652 start_va = 0xe00000 end_va = 0x11f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 653 start_va = 0x1240000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 654 start_va = 0x1300000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 655 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 656 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 657 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 658 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 659 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 660 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 661 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 662 start_va = 0x7fef4600000 end_va = 0x7fef4681fff entry_point = 0x7fef4600000 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 663 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 664 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 665 start_va = 0x7fef9060000 end_va = 0x7fef9068fff entry_point = 0x7fef9060000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 666 start_va = 0x7fef9070000 end_va = 0x7fef9079fff entry_point = 0x7fef9070000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 667 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 668 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 669 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 670 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 671 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 672 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 673 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 674 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 675 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 676 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 677 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 678 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 679 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 680 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 681 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 682 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 683 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 684 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 685 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 686 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 687 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 688 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 689 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 690 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 691 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 692 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 693 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 694 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Thread: id = 41 os_tid = 0x4f8 Thread: id = 42 os_tid = 0x528 Thread: id = 43 os_tid = 0x7d4 Thread: id = 44 os_tid = 0x594 Thread: id = 45 os_tid = 0x364 Thread: id = 46 os_tid = 0x720 Thread: id = 51 os_tid = 0x824 Thread: id = 74 os_tid = 0xa64 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x8da9000" os_pid = "0x268" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xf0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e915" [0xc000000f], "LOCAL" [0x7] Region: id = 710 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 711 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 712 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 713 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 714 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 715 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 716 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 717 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 718 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 719 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 720 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 721 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 722 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 723 start_va = 0x1b0000 end_va = 0x1c9fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 724 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 725 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 726 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 727 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 728 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 729 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 730 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 731 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 732 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 733 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 734 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 735 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 736 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 737 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 738 start_va = 0x490000 end_va = 0x491fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 739 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 740 start_va = 0x4b0000 end_va = 0x4b4fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 741 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 742 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 743 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 744 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 745 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 746 start_va = 0x810000 end_va = 0x8cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 747 start_va = 0x8d0000 end_va = 0xcc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 748 start_va = 0xcd0000 end_va = 0xd8ffff entry_point = 0xcd0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 749 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 750 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0xda0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 751 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0xdb0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 752 start_va = 0xdc0000 end_va = 0xdcffff entry_point = 0xdc0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 753 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0xdd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 754 start_va = 0xde0000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 755 start_va = 0xe60000 end_va = 0xe6ffff entry_point = 0xe60000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 756 start_va = 0xe70000 end_va = 0xe7ffff entry_point = 0xe70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 757 start_va = 0xe80000 end_va = 0xe8ffff entry_point = 0xe80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 758 start_va = 0xe90000 end_va = 0xe9ffff entry_point = 0xe90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 759 start_va = 0xea0000 end_va = 0xeaffff entry_point = 0xea0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 760 start_va = 0xeb0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 761 start_va = 0xf30000 end_va = 0x11fefff entry_point = 0xf30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 762 start_va = 0x1200000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 763 start_va = 0x1280000 end_va = 0x128ffff entry_point = 0x1280000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 764 start_va = 0x1290000 end_va = 0x129ffff entry_point = 0x1290000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 765 start_va = 0x12a0000 end_va = 0x12affff entry_point = 0x12a0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 766 start_va = 0x12b0000 end_va = 0x12bffff entry_point = 0x12b0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 767 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x1310000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 768 start_va = 0x1320000 end_va = 0x132ffff entry_point = 0x1320000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 769 start_va = 0x1330000 end_va = 0x133ffff entry_point = 0x1330000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 770 start_va = 0x1340000 end_va = 0x134ffff entry_point = 0x1340000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 771 start_va = 0x1350000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 772 start_va = 0x1360000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 773 start_va = 0x13e0000 end_va = 0x13effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013e0000" filename = "" Region: id = 774 start_va = 0x13f0000 end_va = 0x13fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013f0000" filename = "" Region: id = 775 start_va = 0x1400000 end_va = 0x140ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001400000" filename = "" Region: id = 776 start_va = 0x1410000 end_va = 0x141ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001410000" filename = "" Region: id = 777 start_va = 0x1420000 end_va = 0x142ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001420000" filename = "" Region: id = 778 start_va = 0x1430000 end_va = 0x143ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001430000" filename = "" Region: id = 779 start_va = 0x1440000 end_va = 0x144ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 780 start_va = 0x1450000 end_va = 0x14cffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 781 start_va = 0x14d0000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 782 start_va = 0x1560000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 783 start_va = 0x15e0000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 784 start_va = 0x15f0000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 785 start_va = 0x1670000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 786 start_va = 0x1680000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 787 start_va = 0x1700000 end_va = 0x1700fff entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 788 start_va = 0x1710000 end_va = 0x1710fff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 789 start_va = 0x1720000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 790 start_va = 0x1760000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x0000000001760000" filename = "" Region: id = 791 start_va = 0x1810000 end_va = 0x188ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 792 start_va = 0x18c0000 end_va = 0x19bffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 793 start_va = 0x1a40000 end_va = 0x1abffff entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 794 start_va = 0x1ac0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 795 start_va = 0x1bd0000 end_va = 0x1bdffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 796 start_va = 0x1ca0000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 797 start_va = 0x1cb0000 end_va = 0x1daffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 798 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 799 start_va = 0x1f10000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 800 start_va = 0x1f90000 end_va = 0x208ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 801 start_va = 0x20d0000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 802 start_va = 0x2150000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 803 start_va = 0x2270000 end_va = 0x22effff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 804 start_va = 0x23f0000 end_va = 0x246ffff entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 805 start_va = 0x2470000 end_va = 0x256ffff entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 806 start_va = 0x25a0000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 807 start_va = 0x25b0000 end_va = 0x35affff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 808 start_va = 0x36c0000 end_va = 0x373ffff entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 809 start_va = 0x37a0000 end_va = 0x381ffff entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 810 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 811 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 812 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 813 start_va = 0x77a30000 end_va = 0x77a36fff entry_point = 0x77a30000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 814 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 815 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 816 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 817 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 818 start_va = 0x7fef4860000 end_va = 0x7fef4ad9fff entry_point = 0x7fef4860000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 819 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 820 start_va = 0x7fef7940000 end_va = 0x7fef7950fff entry_point = 0x7fef7940000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 821 start_va = 0x7fef7d00000 end_va = 0x7fef7d63fff entry_point = 0x7fef7d00000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 822 start_va = 0x7fef7d70000 end_va = 0x7fef7de0fff entry_point = 0x7fef7d70000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 823 start_va = 0x7fef7df0000 end_va = 0x7fef7e27fff entry_point = 0x7fef7df0000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 824 start_va = 0x7fef7e30000 end_va = 0x7fef7e7dfff entry_point = 0x7fef7e30000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 825 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 826 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 827 start_va = 0x7fef80c0000 end_va = 0x7fef80effff entry_point = 0x7fef80c0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 828 start_va = 0x7fef81c0000 end_va = 0x7fef81dffff entry_point = 0x7fef81c0000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 829 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 830 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 831 start_va = 0x7fefafd0000 end_va = 0x7fefafd6fff entry_point = 0x7fefafd0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 832 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 833 start_va = 0x7fefb040000 end_va = 0x7fefb06ffff entry_point = 0x7fefb040000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 834 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 835 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 836 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 837 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 838 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 839 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 840 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 841 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 842 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 843 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 844 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 845 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 846 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 847 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 848 start_va = 0x7fefcce0000 end_va = 0x7fefcd2bfff entry_point = 0x7fefcce0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 849 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 850 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 851 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 852 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 853 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 854 start_va = 0x7fefd1b0000 end_va = 0x7fefd1e1fff entry_point = 0x7fefd1b0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 855 start_va = 0x7fefd210000 end_va = 0x7fefd231fff entry_point = 0x7fefd210000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 856 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 857 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 858 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 859 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 860 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 861 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 862 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 863 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 864 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 865 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 866 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 867 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 868 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 869 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 870 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 871 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 872 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 873 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 874 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 875 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 876 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 877 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 878 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 879 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 880 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 881 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 882 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 883 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 884 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 885 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 886 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 887 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 888 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 889 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 890 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 891 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 892 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 893 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 894 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 895 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 896 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 897 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 898 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 899 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 900 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 901 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 54 os_tid = 0x138 Thread: id = 55 os_tid = 0x588 Thread: id = 56 os_tid = 0x740 Thread: id = 57 os_tid = 0x7a0 Thread: id = 58 os_tid = 0x794 Thread: id = 59 os_tid = 0x744 Thread: id = 60 os_tid = 0x674 Thread: id = 61 os_tid = 0x654 Thread: id = 62 os_tid = 0x608 Thread: id = 63 os_tid = 0x5e8 Thread: id = 64 os_tid = 0x41c Thread: id = 65 os_tid = 0x418 Thread: id = 66 os_tid = 0x414 Thread: id = 67 os_tid = 0x3d8 Thread: id = 68 os_tid = 0x370 Thread: id = 69 os_tid = 0x2b0 Thread: id = 70 os_tid = 0x290 Thread: id = 72 os_tid = 0xa54 Thread: id = 75 os_tid = 0xac4 Thread: id = 76 os_tid = 0xb08 Thread: id = 80 os_tid = 0xb20 Process: id = "8" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 978 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 979 start_va = 0x77250000 end_va = 0x773f8fff entry_point = 0x77250000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 980 start_va = 0x77430000 end_va = 0x775affff entry_point = 0x77430000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 981 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Thread: id = 81 os_tid = 0x8 Thread: id = 82 os_tid = 0xc4 Thread: id = 83 os_tid = 0xb0 Thread: id = 84 os_tid = 0x9c Thread: id = 85 os_tid = 0x78 Thread: id = 86 os_tid = 0xc0 Thread: id = 87 os_tid = 0x28 Thread: id = 88 os_tid = 0x3c Thread: id = 89 os_tid = 0x24 Thread: id = 90 os_tid = 0x20 Thread: id = 91 os_tid = 0x38 Thread: id = 92 os_tid = 0x30 Thread: id = 93 os_tid = 0x40 [0228.718] ExAllocatePoolWithTag (PoolType=0x0, NumberOfBytes=0x1d342, Tag=0x72775044) returned 0xfffffa8001a07000 [0228.983] KeDelayExecutionThread (WaitMode=0x0, Alertable=0, Interval=0xfffff88002fa45a8*=-1277734455) Thread: id = 94 os_tid = 0xc8 Thread: id = 95 os_tid = 0x5c Thread: id = 96 os_tid = 0x34 Thread: id = 97 os_tid = 0x4c Thread: id = 98 os_tid = 0x80 Thread: id = 99 os_tid = 0xcc Thread: id = 100 os_tid = 0x48 Thread: id = 101 os_tid = 0xd0 Thread: id = 102 os_tid = 0xb8 Thread: id = 103 os_tid = 0xd4 Thread: id = 104 os_tid = 0xd8 Thread: id = 105 os_tid = 0xdc Thread: id = 106 os_tid = 0xe8 Thread: id = 107 os_tid = 0xec Thread: id = 108 os_tid = 0x64 Thread: id = 109 os_tid = 0x2c Thread: id = 110 os_tid = 0xfc Thread: id = 111 os_tid = 0x104 Thread: id = 112 os_tid = 0x114 Thread: id = 113 os_tid = 0x108 Thread: id = 114 os_tid = 0x10c Thread: id = 115 os_tid = 0x12c Thread: id = 116 os_tid = 0x130 Thread: id = 117 os_tid = 0x134 Thread: id = 118 os_tid = 0x138 Thread: id = 119 os_tid = 0x174 Thread: id = 120 os_tid = 0x90 Thread: id = 121 os_tid = 0x68 Thread: id = 122 os_tid = 0x100 Thread: id = 123 os_tid = 0x84 Thread: id = 124 os_tid = 0x88 Thread: id = 125 os_tid = 0x98 Thread: id = 126 os_tid = 0x74 Thread: id = 127 os_tid = 0x268 Thread: id = 128 os_tid = 0x2dc Thread: id = 129 os_tid = 0x8c Thread: id = 130 os_tid = 0x1c Thread: id = 131 os_tid = 0x3b4 Thread: id = 132 os_tid = 0x454 Thread: id = 133 os_tid = 0x4d4 Thread: id = 134 os_tid = 0x4f4 Thread: id = 135 os_tid = 0x504 Thread: id = 136 os_tid = 0x508 Thread: id = 137 os_tid = 0x578 Thread: id = 138 os_tid = 0x5a4 Thread: id = 139 os_tid = 0x5ac Thread: id = 140 os_tid = 0x5c0 Thread: id = 141 os_tid = 0x5c8 Thread: id = 142 os_tid = 0x5d4 Thread: id = 143 os_tid = 0x5e0 Thread: id = 144 os_tid = 0x45c Thread: id = 145 os_tid = 0x94 Thread: id = 146 os_tid = 0x458 Thread: id = 147 os_tid = 0x6f0 Thread: id = 148 os_tid = 0x7a0 Thread: id = 149 os_tid = 0x50 Thread: id = 150 os_tid = 0x0 [0228.717] ExQueueWorkItem (in: WorkItem=0xfffffa80019a03d6*(List.Flink=0x0, List.Blink=0x0, WorkerRoutine=0xfffffa80019a4fbb, Parameter=0xfffffa80019a0196), QueueType=0x1 | out: WorkItem=0xfffffa80019a03d6*(List.Flink=0xfffff80002a66670, List.Blink=0xfffff80002a67fc0, WorkerRoutine=0xfffffa80019a4fbb, Parameter=0xfffffa80019a0196)) Thread: id = 151 os_tid = 0x424 Thread: id = 152 os_tid = 0x590 Thread: id = 153 os_tid = 0x60 Thread: id = 154 os_tid = 0x608